CVE-2025-26456
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-08
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in multiple functions of DexUseManagerLocal.java within the Android Runtime (ART) service. It can cause the system server to crash, leading to a local permanent denial of service without requiring any user interaction or additional privileges. The issue relates to how the dex use database handles secondary dex files, where unbounded growth of database entries could occur, potentially exhausting resources and causing the crash. [2]
How can this vulnerability impact me? :
The vulnerability can cause a local permanent denial of service by crashing the system server. This means your device could become unstable or unresponsive without any user action or elevated privileges. It could lead to resource exhaustion due to uncontrolled growth of the dex use database, impacting device performance and reliability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local permanent denial of service caused by a logic error in DexUseManagerLocal.java within the Android Runtime (ART) service. Detection would involve monitoring for system server crashes or instability related to ART. Since the issue relates to unbounded growth of the dex use database and SELinux denials on secondary dex files, you can check system logs for ART service crashes or SELinux denials. Commands to check logs include: 'logcat' to view Android system logs for ART crashes, and 'dmesg' or 'ausearch' to check SELinux denial messages. Additionally, monitoring the size of the dex use database or ART-related files for abnormal growth could help detect exploitation attempts. However, no specific detection commands are provided in the resources. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the security fixes provided by the Android platform updates that address CVE-2025-26456. These fixes include limiting the number of secondary dex files per owning package, adding existence checks for dex files when loading packages differ from owning packages, and resolving SELinux policy enforcement issues related to secondary dex file symlinks. Therefore, updating the Android system to include the patches referenced in the commits (hashes 06a99377e368b688dbeb4e6bb11b6e1dfca8bb70, 1aedae6e1049aa794b3554183bf07634c8fa291b, and 3c76194d116bad95e11bda345feaedda6c02c8b4) is the recommended immediate step. No user interaction or additional privileges are needed for exploitation, so patching is critical. Until patches are applied, monitoring for system server crashes and SELinux denials may help mitigate impact. [1, 2, 3]