Android Package Manager Service Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Android Package Manager Service. The issue arises from improper input validation in the 'setApplicationHiddenSettingAsUser' function, which could allow a critical system package to be hidden. This vulnerability can be exploited locally, without the need for additional execution privileges or user interaction.

Impact

Exploitation of this vulnerability leads to a local denial-of-service condition, causing the device to become unresponsive or difficult to use. Notably, hiding the SystemUI can make the phone impossible to operate, even within a managed profile.

Reproduction

The vulnerability can be reproduced manually with a custom Device Policy Controller (DPC) by sending a request to the Package Manager Service to hide a system-critical package, such as the SystemUI. This request can be made without any user interaction, leveraging the improper input validation in the 'setApplicationHiddenSettingAsUser' function.

Remediation

Users can update their devices to the September 2025 security patch level, which addresses this vulnerability.