Critical Android Flaw Allows Zero-Interaction Denial-of-Service Attacks
Google released its April 2026 Android Security Bulletin, addressing multiple vulnerabilities. The most alarming flaw is a critical security vulnerability in the Android Framework.
This Framework flaw (CVE-2026-0049), tracked as the Zero-Click Framework Flaw, allows attackers to trigger a local denial-of-service (DoS) state. The exploit requires no user interaction and needs no elevated privileges.
It functions locally, meaning an attacker could theoretically crash a device or render core services unavailable, potentially bypassing standard platform mitigations.
This critical DoS vulnerability impacts:
- Android 14
- Android 15
- Android 16
- Android 16-qpr2
The bulletin also patches a high-severity vulnerability affecting hardware and vendor components, tracked under CVE-2025-48651. This flaw targets Android’s StrongBox hardware-backed keystore for protecting cryptographic keys. The issue spans multiple major hardware vendors (Google, NXP, STMicroelectronics, Thales), with coordinated patches.
Patch Levels and Mitigation
Devices need the 2026-04-05 security patch level for full protection. This update is split into two phases:
- 2026-04-01 patch: Addresses the critical Framework DoS flaw (CVE-2026-0049)
- 2026-04-05 patch: Covers the high-severity StrongBox vendor vulnerabilities
Devices running Android 10 or later receive these fixes via standard over-the-air updates, supported by Google Play Protect.
Google also announced a shift in open-source code drop schedules. Moving forward, source code for security patches will be published to AOSP specifically in Q2 and Q4, instead of monthly.
Developers using the android-latest-release branch can explore the latest security patches.