{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0015", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "state": "PUBLISHED", "assignerShortName": "google_android", "dateReserved": "2025-10-15T15:38:46.659Z", "datePublished": "2026-03-02T18:42:40.526Z", "dateUpdated": "2026-03-06T03:49:23.989Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Android", "vendor": "Google", "versions": [{"status": "affected", "version": "16-qpr2"}, {"status": "affected", "version": "16"}, {"status": "affected", "version": "15"}, {"status": "affected", "version": "14"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In multiple locations of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.</p>"}], "value": "In multiple locations of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."}], "problemTypes": [{"descriptions": [{"description": "Denial of service", "lang": "en"}]}], "providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-03-06T03:49:23.989Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cvelib 1.7.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T21:22:49.853134Z", "id": "CVE-2026-0015", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:22:53.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0015", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T21:22:49.853134Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:22:45.428Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "16-qpr2"}, {"status": "affected", "version": "16"}, {"status": "affected", "version": "15"}, {"status": "affected", "version": "14"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.7.1"}, "descriptions": [{"lang": "en", "value": "In multiple locations of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.", "supportingMedia": [{"type": "text/html", "value": "<p>In multiple locations of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Denial of service"}]}], "providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-03-06T03:49:23.989Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0015", "state": "PUBLISHED", "dateUpdated": "2026-03-06T03:49:23.989Z", "dateReserved": "2025-10-15T15:38:46.659Z", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "datePublished": "2026-03-02T18:42:40.526Z", "assignerShortName": "google_android"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*", "matchCriteriaId": "FD695F32-4A73-4846-B1A1-04FF266E9C15", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*", "matchCriteriaId": "3DE9F018-8704-476B-8D59-F63F8486E231", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*", "matchCriteriaId": "BE95A642-4330-4F65-B028-3BA597D30F32", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In multiple locations of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."}, {"lang": "es", "value": "En m\u00faltiples ubicaciones de AppOpsService.java, existe una posible denegaci\u00f3n de servicio persistente debido a una validaci\u00f3n de entrada incorrecta. Esto podr\u00eda llevar a una denegaci\u00f3n de servicio local sin necesidad de privilegios de ejecuci\u00f3n adicionales. No se requiere interacci\u00f3n del usuario para su explotaci\u00f3n."}], "id": "CVE-2026-0015", "lastModified": "2026-03-06T04:16:04.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T19:16:30.020", "references": [{"source": "security@android.com", "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"}], "sourceIdentifier": "security@android.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16-qpr2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "14"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Android", "source": "cna", "vendor": "Google"}, "product": "android", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T14:24:53.736620+00:00", "value": {"mitigation_remediation": ["Update the device to the latest Android security patch as described in the 2026\u201103\u201101 bulletin, which includes the AppOpsService fix.", "Reboot the device after installing the patch to ensure the service is running the corrected version.", "Limit exposure by uninstalling or temporarily disabling third\u2011party applications that frequently invoke AppOpsService operations until the device is patched."], "summary": {"action": "Apply Patch", "impact": "Local Denial of Service"}, "threat_synthesis": {"affected_systems": "Android 14.0, 15.0, 16.0, and the 16.0 release candidates qpr2 beta 1\u20113. All affected versions are listed in the Android 2026\u201103\u201101 security bulletin.", "description_and_impact": "The vulnerability is a local persistent denial of service caused by improper input validation in AppOpsService.java. It can trigger service crashes that degrade device responsiveness, impacting the availability of affected applications and system services. The weakness is an input validation error (CWE\u201120).", "risk_and_exploitability": "The CVSS score of 6.2 classifies this issue as medium severity. The EPSS <1% indicates a very low probability that an exploit will be observed in the wild, and it is not listed in the CISA KEV catalog. The flaw is local; it does not require network access or privilege escalation and does not need user interaction, meaning any user with device access could trigger the denial of service by sending malformed inputs to AppOpsService."}}}}, "created": "2026-03-03T08:41:37.315362+00:00", "title": "Local Denial of Service via Improper Input Validation in AppOpsService", "updated": "2026-04-16T14:30:16.144382+00:00", "vendors": ["google", "google$PRODUCT$android"]}