Zero Day MonitorZDM

← Back to list

6.2

CVE-2026-0049EXPLOITEDPATCHED

google · android

CVE-2026-0049: In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhausti

Description

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Vendor	Product	Versions
google	android	16-qpr2, 16, 15, 14

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
google	android	cert_advisory	90%

References

https://source.android.com/docs/security/bulletin/2026/2026-04-01(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories2h ago

[NEU] [mittel] Google Android: Mehrere Schwachstellen

→ No new info (linked only)

Tier D

Heise Security4h ago

Patchday: Androids Schlüsselspeichersystem für Attacken anfällig

→ No new info (linked only)

Tier C

VulDB17h ago

CVE-2026-0049 | Google Android 14/15/16/16-qpr2 LocalImageResolver.java onHeaderDecoded resource consumption

→ No new info (linked only)

CVSS 3.16.2 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2026-04-05

PublishedApr 6, 2026

Last enriched3h agov3

Tags

DoSkey leakmultiple vulnerabilitiesdenial of serviceandroid

Trending Score62

Source articles3

Independent3

Info Completeness9/14

Missing: epss, cwe, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-5281EXPKEV

CVE-2026-5281: Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the render

HIGHCVE-2026-3909EXPKEV

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

HIGHCVE-2026-3910EXPKEV

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi

HIGHCVE-2026-2441EXPKEV

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CRITICALCVE-2026-5289EXP

CVE-2026-5289: Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 6, 2026

Discovered by ZDM

Apr 6, 2026

Actively Exploited

Apr 6, 2026

Exploit Available

Apr 6, 2026

Patch Available

Apr 6, 2026

Updated: tags

Apr 7, 2026

Updated: severity, exploitAvailable, activelyExploited, patchAvailable

Apr 7, 2026

Version History

v3

Last enriched 3h ago

v3Tier D3h ago

Updated severity to HIGH, marked exploit as available, noted active exploitation, and updated patch availability to 2026-04-05.

severityexploitAvailableactivelyExploitedpatchAvailable

via Heise Security

v2Tier D3h ago

Updated severity to CRITICAL, marked exploit as available, and added new patch date and tags.

tags

via Heise Security

v117h ago

Initial creation