Android Runtime Denial-of-Service Vulnerability in DexUseManagerLocal
Vulnerability
A denial-of-service vulnerability has been identified in the Android Runtime component, specifically within the DexUseManagerLocal.java file. This issue arises from a logic error that can cause the system server to crash, leading to a local and permanent denial-of-service condition. The vulnerability does not require any additional execution privileges or user interaction for exploitation.
Impact
Exploitation of this vulnerability causes a crash of the system server, leading to a local and permanent denial-of-service condition.
Reproduction
The vulnerability can be reproduced by installing an application that interacts with the DexUseManagerLocal service. Once the application is installed, it can be run repeatedly until the system runs out of memory, demonstrating that the dex use database has not been properly managed. This can be verified using the Android ArtServiceTests, which include a test case for this vulnerability.
Remediation
Users can update their devices to the June 2025 security patch level to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.