Android Framework Denial-of-Service Vulnerability in App Ops Management
Vulnerability
A denial-of-service vulnerability has been identified in the Android Framework's App Ops management. This issue arises from a logic error that allows the creation of a large number of app operation entries for multiple packages. The vulnerability can lead to a local denial-of-service condition by causing a TransactionTooLargeException, which disrupts normal system operations. Notably, this vulnerability does not require any additional execution privileges or user interaction for exploitation.
Impact
Exploitation of this vulnerability causes a local denial-of-service condition, where the system experiences a crash or significant slowdown, disrupting normal user activities and potentially causing applications to become unresponsive.
Reproduction
The vulnerability can be reproduced by using a proof-of-concept application that generates attributed operation entries for a large number of packages. This can be done by interacting with the application's app operation features in a way that exceeds the normal handling capacity, triggering the TransactionTooLargeException. After the vulnerability is fixed, this crash no longer occurs, and the device can boot successfully.
Remediation
Users can update their devices to the December 2025 security patch level to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.