Critical Android Flaw Allows Zero-Interaction Denial-of-Service Attacks

Google released its April 2026 Android Security Bulletin, addressing multiple vulnerabilities. The most alarming flaw is a critical security vulnerability in the Android Framework.

This Framework flaw (CVE-2026-0049), tracked as the Zero-Click Framework Flaw, allows attackers to trigger a local denial-of-service (DoS) state. The exploit requires no user interaction and needs no elevated privileges.

It functions locally, meaning an attacker could theoretically crash a device or render core services unavailable, potentially bypassing standard platform mitigations.

This critical DoS vulnerability impacts:

  • Android 14
  • Android 15
  • Android 16
  • Android 16-qpr2

The bulletin also patches a high-severity vulnerability affecting hardware and vendor components, tracked under CVE-2025-48651. This flaw targets Android’s StrongBox hardware-backed keystore for protecting cryptographic keys. The issue spans multiple major hardware vendors (Google, NXP, STMicroelectronics, Thales), with coordinated patches.

Patch Levels and Mitigation

Devices need the 2026-04-05 security patch level for full protection. This update is split into two phases:

  • 2026-04-01 patch: Addresses the critical Framework DoS flaw (CVE-2026-0049)
  • 2026-04-05 patch: Covers the high-severity StrongBox vendor vulnerabilities

Devices running Android 10 or later receive these fixes via standard over-the-air updates, supported by Google Play Protect.

Google also announced a shift in open-source code drop schedules. Moving forward, source code for security patches will be published to AOSP specifically in Q2 and Q4, instead of monthly.

Developers using the android-latest-release branch can explore the latest security patches.

Related Articles

Back to top button