CVE-2025-26432
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-130 | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a missing length check in multiple locations of the Android system, which allows an attacker to cause a persistent denial of service (DoS) on the device. Specifically, excessively long tags in the CompanionDeviceManagerService component can trigger this issue. No user interaction or additional privileges are required to exploit this vulnerability. [1]
How can this vulnerability impact me? :
The vulnerability can cause a local denial of service on the affected device, making it unresponsive or unstable without needing any special privileges or user interaction. This could disrupt normal device operations and availability. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the update that includes the fix limiting the maximum length of tags to 1024 characters in the CompanionDeviceManagerService component. This fix prevents the vulnerability by enforcing length checks and mitigating potential denial of service conditions. [1]