Zero Day MonitorZDM

← Back to list

6.2

CVE-2026-0049EXPLOITEDPATCHED

google · android

CVE-2026-0049: In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhausti

Description

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Vendor	Product	Versions
google	android	16-qpr2, 16, 15, 14

References

https://source.android.com/docs/security/bulletin/2026/2026-04-01(vendor-advisory)

Related News (2 articles)

Tier D

Heise Security2h ago

Patchday: Androids Schlüsselspeichersystem für Attacken anfällig

→ No new info (linked only)

Tier C

VulDB15h ago

CVE-2026-0049 | Google Android 14/15/16/16-qpr2 LocalImageResolver.java onHeaderDecoded resource consumption

→ No new info (linked only)

CVSS 3.16.2 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2026-04-05

PublishedApr 6, 2026

Last enriched1h agov3

Tags

DoSkey leak

Trending Score58

Source articles2

Independent2

Info Completeness9/14

Missing: epss, cwe, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-5281EXPKEV

CVE-2026-5281: Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the render

HIGHCVE-2026-3909EXPKEV

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

HIGHCVE-2026-3910EXPKEV

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi

HIGHCVE-2026-2441EXPKEV

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

HIGHCVE-2026-5284EXP

CVE-2026-5284: Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the render

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 6, 2026

Discovered by ZDM

Apr 6, 2026

Actively Exploited

Apr 6, 2026

Exploit Available

Apr 6, 2026

Patch Available

Apr 6, 2026

Updated: tags

Apr 7, 2026

Updated: severity, exploitAvailable, activelyExploited, patchAvailable

Apr 7, 2026

Version History

v3

Last enriched 1h ago

v3Tier D1h ago

Updated severity to HIGH, marked exploit as available, noted active exploitation, and updated patch availability to 2026-04-05.

severityexploitAvailableactivelyExploitedpatchAvailable

via Heise Security

v2Tier D1h ago

Updated severity to CRITICAL, marked exploit as available, and added new patch date and tags.

tags

via Heise Security

v115h ago

Initial creation