PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28575 Google CVE debrief

CVE-2026-28575 is a local denial of service vulnerability in Android PackageInstaller. The vulnerability exists in the PackageInstaller.Session#transfer method of the frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java file. An attacker could exploit this vulnerability to cause a local denial of service without requiring additional execution privileges. User interaction is not needed for exploitation. This vulnerability has a CVSS score of 10 and a severity of CRITICAL.

Vendor
Google
Product
Android
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Android users and administrators should be aware of this vulnerability and take necessary precautions to protect their devices. This vulnerability could be exploited by a local attacker to cause a denial of service, potentially disrupting critical services or operations. Operators, platform administrators, and security teams should review the vulnerability details and take action to mitigate the risk.

Technical summary

The vulnerability is caused by a logic error in the PackageInstaller.Session#transfer method. This method is part of the Android PackageInstaller service, which is responsible for installing and managing packages on an Android device. The vulnerability has a CVSS score of 10 and a severity of CRITICAL. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High

Recommended defensive actions

  • Apply the patch or update to a fixed version of Android
  • Restrict access to the PackageInstaller service
  • Monitor system logs for suspicious activity
  • Implement additional security controls to prevent local attacks
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-17T13:20:15.237Z and has not been modified since then. The NVD entry is currently Analyzed. The vulnerability is related to CWE-400. There is limited information available about the specific details of the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Android security bulletin provides additional context for mitigation and remediation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:15.237Z and has not been modified since then. The NVD entry is currently Analyzed.