CVE-2025-26456
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-09-08

Assigner: Android (associated with Google Inc. or Open Handset Alliance)

Description
In multiple functions of DexUseManagerLocal.java, there is a possible way to crash system server due to a logic error in the code. This could lead to local permanent denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-09-08
Generated
2026-06-16
AI Q&A
2025-09-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-26456
EUVD
EUVD-2025-27043
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
google android 14.0
google android 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a logic error in multiple functions of DexUseManagerLocal.java within the Android Runtime (ART) service. It can cause the system server to crash, leading to a local permanent denial of service without requiring any user interaction or additional privileges. The issue relates to how the dex use database handles secondary dex files, where unbounded growth of database entries could occur, potentially exhausting resources and causing the crash. [2]

Impact Analysis

The vulnerability can cause a local permanent denial of service by crashing the system server. This means your device could become unstable or unresponsive without any user action or elevated privileges. It could lead to resource exhaustion due to uncontrolled growth of the dex use database, impacting device performance and reliability. [2]

Detection Guidance

This vulnerability is a local permanent denial of service caused by a logic error in DexUseManagerLocal.java within the Android Runtime (ART) service. Detection would involve monitoring for system server crashes or instability related to ART. Since the issue relates to unbounded growth of the dex use database and SELinux denials on secondary dex files, you can check system logs for ART service crashes or SELinux denials. Commands to check logs include: 'logcat' to view Android system logs for ART crashes, and 'dmesg' or 'ausearch' to check SELinux denial messages. Additionally, monitoring the size of the dex use database or ART-related files for abnormal growth could help detect exploitation attempts. However, no specific detection commands are provided in the resources. [1, 2, 3]

Mitigation Strategies

Immediate mitigation involves applying the security fixes provided by the Android platform updates that address CVE-2025-26456. These fixes include limiting the number of secondary dex files per owning package, adding existence checks for dex files when loading packages differ from owning packages, and resolving SELinux policy enforcement issues related to secondary dex file symlinks. Therefore, updating the Android system to include the patches referenced in the commits (hashes 06a99377e368b688dbeb4e6bb11b6e1dfca8bb70, 1aedae6e1049aa794b3554183bf07634c8fa291b, and 3c76194d116bad95e11bda345feaedda6c02c8b4) is the recommended immediate step. No user interaction or additional privileges are needed for exploitation, so patching is critical. Until patches are applied, monitoring for system server crashes and SELinux denials may help mitigate impact. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-26456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart