Platform
android
Component
localimageresolver
Fixed in
16.0.1
16-qpr2
16-qpr2
16-qpr2
CVE-2026-0049 represents a Denial of Service (DoS) vulnerability discovered within the LocalImageResolver component of Android. This flaw allows for resource exhaustion, potentially causing a local denial of service, meaning the device becomes unresponsive. The vulnerability impacts Android versions 14–16-qpr2, but a patch is available for Android 16-qpr2.
CVE-2026-0049 is a persistent denial-of-service (DoS) vulnerability in Android, identified within the LocalImageResolver.java component, specifically in the onHeaderDecoded function. The vulnerability stems from a resource exhaustion issue when processing images. A local attacker could exploit this flaw to cause a denial of service, preventing the device from functioning correctly. No additional privileges are required for exploitation, and user interaction is not needed, increasing the risk of exploitation. The severity of this vulnerability lies in its potential to disrupt normal device operation, affecting user experience and potentially causing data loss if the device unexpectedly restarts during a critical operation. Applying security update 16-qpr2 is strongly recommended to mitigate this risk.
Exploitation of CVE-2026-0049 requires local access to the Android device. An attacker could exploit this vulnerability by sending a sequence of specially crafted images designed to exhaust system resources. Because user interaction is not required, exploitation can occur silently and without the user's knowledge. The attacker could, for example, send malicious images through an application or service that processes images. The lack of proper validation of image headers in LocalImageResolver.java allows for excessive resource consumption, leading to a denial of service. The vulnerability is particularly concerning on devices with limited resources, where resource exhaustion can occur more quickly.
Exploit Status
EPSS
0.01% (1% percentile)
The solution for CVE-2026-0049 is to update your Android device to version 16-qpr2 or later. This update includes the necessary fixes to address the resource exhaustion vulnerability in LocalImageResolver.java. Device manufacturers and mobile carriers should deploy this update as soon as possible to protect their users. Additionally, users are advised to keep their devices updated with the latest security patches to ensure maximum protection against known vulnerabilities. Monitoring official Android security sources for updates on this and other vulnerabilities is a recommended practice. The update corrects how image headers are handled, preventing excessive resource consumption.
Update your Android device to version 16-qpr2 or later to mitigate the risk of denial of service. This update addresses a vulnerability that could allow an attacker to cause a local denial of service by exhausting system resources. Ensure your device is configured to receive automatic security updates.
Vulnerability analysis and critical alerts directly to your inbox.
A Denial of Service is an attack that attempts to make a network service or resource unavailable to its legitimate users.
Go to your device's settings, look for 'Software update,' and check for available updates.
Contact your device manufacturer or mobile carrier for assistance.
The vulnerability affects devices running Android versions prior to 16-qpr2 and that utilize the LocalImageResolver.java component.
There is no viable workaround without updating the device to version 16-qpr2 or later.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your build.gradle file and we'll tell you instantly if you're affected.