CVE-2025-26463
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the allowPackageAccess function where repeatedly adding allowed packages can cause resource exhaustion. This leads to a local persistent denial of service without requiring any additional execution privileges or user interaction. Essentially, the system can be overwhelmed by handling too many package entries, causing it to become unresponsive or fail. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is a local persistent denial of service on the affected Android system. An attacker could exploit it to make the system unresponsive or disrupt normal operations without needing elevated privileges or user interaction, potentially causing inconvenience or downtime. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the security patch implemented in the Android platform's framework as per commit 4b630be2e2b30ff3c57128c660bfef6514193d25. This patch introduces safeguards in BlobStoreManager.java and BlobStoreSession.java to prevent resource exhaustion caused by excessively long package names and certificates. Updating your system to include this fix will mitigate the vulnerability. [1]