CVE-2026-0074: Android LauncherProcessImageListener Denial of Service Vulnerability
CVE-2026-0074 is a denial-of-service vulnerability in Android's LauncherProcessImageListener component. An attacker with local system access can exhaust device resources through the getPreferredSize function, causing the launcher process to become unresponsive or crash. No special privileges or user interaction are required to trigger the flaw, making it a concern for multi-user devices and environments where untrusted code may run locally.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In getPreferredSize of LauncherProcessImageListener.kt, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in LauncherProcessImageListener.kt within the Android platform. The getPreferredSize method fails to properly validate or limit resource allocation when processing image dimensions, allowing an attacker to trigger uncontrolled resource consumption (CWE-400). The attack vector is local; the attacker must have shell-level access to the device. Once triggered, the exhaustion of memory, CPU, or other system resources causes denial of service to the launcher and potentially affects overall system stability.
Business impact
For enterprise Android deployments—including shared devices, managed endpoints, and multi-tenant scenarios—this vulnerability creates operational risk. A compromised or malicious app running with local privileges can disable the launcher without administrator intervention, rendering the device difficult to use. For consumer users, the impact is lower but still relevant if device is shared or if a sideloaded app gains local access. Organizations managing large Android fleets should assess whether their threat model includes local attackers or compromised processes within the same device.
Affected systems
The vulnerability affects Google Android. Specific version ranges and patch availability should be verified against Google's Android Security & Privacy Year in Review and official manufacturer security bulletins, as the provided data does not enumerate granular version boundaries.
Exploitability
Exploitation requires local access—an attacker cannot trigger this remotely over the network. An existing local account, compromised shell access, or a malicious app running under an unprivileged user context can exploit it. The attack is straightforward to execute once local presence is established; no special tools or user interaction are needed. The CVSS score of 5.5 (Medium) reflects the local-only attack vector combined with high availability impact but no confidentiality or integrity compromise.
Remediation
Apply the latest Android security update from your device manufacturer or Google. The core fix involves adding resource limits and validation within getPreferredSize to prevent unbounded allocation. Users should prioritize patching if their device is running a version known to include this flaw.
Patch guidance
Check your device manufacturer's security bulletin or Google's official Android Security & Privacy release notes for the patch date and affected release levels. Install available OTA (over-the-air) updates or security patches at the earliest opportunity. For enterprise environments, validate patch deployment through your MDM or device management platform before rolling out widely.
Detection guidance
Monitor for repeated crashes or hangs of the launcher process (com.android.launcher or vendor equivalent). Examine system logs for memory pressure events, out-of-memory (OOM) killer activity, or abnormal CPU spikes coinciding with the launcher. On managed devices, alert on unexpected process restarts of the launcher service. Forensic review of locally-installed apps or shell access patterns may help identify whether an attacker exploited this after gaining initial local foothold.
Why prioritize this
Although the CVSS score is Medium, prioritization depends on your environment. Prioritize if: (1) you manage multi-user or shared Android devices where local attacker scenarios are credible; (2) you run applications from less-trusted sources locally on managed devices; (3) your threat model includes compromised user-space processes. Deprioritize if your Android devices are single-user, locked down, and have no local untrusted code execution paths.
Risk score, explained
CVSS 3.1 score of 5.5 (Medium) is justified by: local-only attack vector (AV:L), low attack complexity (AC:L), requirement for low privileges (PR:L), no user interaction (UI:N), no scope change (S:U), high availability impact (A:H), and no confidentiality or integrity impact (C:N, I:N). The score appropriately reflects a resource-exhaustion flaw that is trivial to exploit locally but cannot be chained into remote compromise on its own.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The attack vector is strictly local (AV:L in CVSS). An attacker must already have shell-level or user-level access to the device or be able to run code locally to trigger resource exhaustion.
What happens if the launcher crashes due to this vulnerability?
The launcher process becomes unresponsive or restarts. Users may experience a frozen home screen or delayed app access until the launcher recovers. In multi-app or enterprise scenarios, this can degrade device usability and productivity.
Do I need special permissions to exploit this?
No. Exploitation requires only local access (PR:L in CVSS terms—a low-privilege local account or process). No administrator or system-level permissions are needed to trigger the resource exhaustion.
Is this vulnerability included in Google's Known Exploited Vulnerabilities (KEV) catalog?
No. At publication, this vulnerability is not listed on the CISA KEV catalog, indicating no known active exploitation in the wild as of the advisory date. However, absence from KEV does not mean the flaw is unexploited; it reflects a lack of confirmed real-world exploitation reports at the time of disclosure.
This analysis is based on publicly available vulnerability data as of the stated publication and modification dates. Version numbers, patch timelines, and affected build levels should be verified against official Google Android Security & Privacy advisories and manufacturer release notes. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific device inventory, threat model, and update cadence. SEC.co makes no warranty regarding the completeness or applicability of this intelligence to any particular environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2026-10156MEDIUMOpen5GS Resource Exhaustion Vulnerability in nf-instances Endpoint
- CVE-2026-10224MEDIUMNousResearch hermes-agent Webhook Resource Exhaustion Vulnerability
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update