CVE-2026-28575

MEDIUM google android NVD

CVSS Score 5.5

Severity MEDIUM

Published Jun 17, 2026

Vendor google

Description

In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor Advisories

https://source.android.com/docs/security/bulletin/android-17

References

https://source.android.com/docs/security/bulletin/android-17