Android Framework LocalImageResolver Resource Exhaustion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Android Framework's LocalImageResolver component. This issue arises from improper handling of image data, which can lead to excessive resource consumption. The vulnerability allows for remote denial-of-service attacks, requiring no additional privileges or user interaction for exploitation. Affected devices include those running Android versions 13, 14, 15, and 16.

Impact

Exploitation of this vulnerability causes a persistent denial-of-service condition, leading to a crash loop on affected devices.

Reproduction

The vulnerability can be reproduced by sending a notification that includes an image file larger than the maximum allowed size. This can be done using a GIF file that exceeds the standard image dimensions, such as 16,000 by 16,000 pixels. The LocalImageResolver component will attempt to process the image, leading to resource exhaustion and causing the device to crash repeatedly.

Remediation

Users can update their devices to the December 2025 security patch level to address this vulnerability.