External risk intelligence

Android Manifest Missing Permission Allows Local Denial of Service.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-28573

A vulnerability in Android's manifest file allows for local denial of service. This issue does not require user interaction or special privileges, potentially impacting service availability on affected devices.

Denial of Service

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

The vulnerability exists within the AndroidManifest.xml and is described as a local denial of service issue. This type of vulnerability typically requires local access to the device's manifest or application environment and is not accessible or reachable via the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Android's manifest file could allow for a persistent denial of service without requiring user interaction or special privileges. This issue could impact the availability of services on affected devices.

  • A flaw allows denial of service without interaction.
  • Leadership should remember this for potential service disruptions.
  • Confirm relevance and exposure for affected Android devices.

Attack Path

How an attacker could exploit the issue

An attacker could trigger a persistent denial of service by exploiting a missing permission check in the Android manifest file. This vulnerability does not require any special privileges or user interaction to activate, and it can be exploited locally on a device. Once triggered, it can lead to a denial of service that persists on the device.

  • No specific access required.
  • Missing permission check in manifest.
  • Local denial of service risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Android could allow an attacker to cause a persistent denial of service. Without needing any special privileges or user interaction, an attacker could exploit this to prevent the system or affected services from operating normally.

  • System availability.
  • Missing permission check allows exploitation.
  • Persistent denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Android devices, specifically concerning the AndroidManifest.xml file. Given the potential for local denial of service without requiring additional privileges or user interaction, the primary responsibility for assessment and mitigation likely falls to the device owners or application teams managing the affected Android environments. The first practical step is to identify all Android devices and applications that could be running this potentially vulnerable configuration, determine their business criticality, and then ascertain the specific owner responsible for the affected components.

  • Confirm asset ownership and scope.
  • Verify local reachability and impact.
  • Plan risk-based remediation actions.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-28573 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for a persistent denial of service due to a missing permission check, potentially impacting system availability and therefore is considered relevant.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the AndroidManifest.xml file mentioned in CVE-2026-28573?

The AndroidManifest.xml is a mandatory configuration file for every Android application. It provides essential information to the Android system, such as which permissions the app requires and which internal components are exposed to other apps or the system. This CVE specifically highlights a configuration error within this file that fails to properly restrict access to certain services.

How does a missing permission check cause a denial of service?

This vulnerability is a form of improper access control. Because the manifest fails to enforce a necessary permission check, it allows unauthorized processes to interact with a system component in a way that disrupts its operation. By sending specific requests that the component is not designed to handle securely, the attacker can force the service to crash or become unresponsive, resulting in a persistent denial of service.

Do I need to interact with the device to trigger this vulnerability?

No. The vulnerability does not require any user interaction or elevated privileges to activate. Because the flaw exists at the component configuration level, it can be triggered automatically by other malicious code or apps present on the device. However, this issue does not trigger remotely via the network; it requires local access to the device's environment to execute.

Why is this CVE flagged as external if it is a local issue?

While the vulnerability itself is local, Halo Surface Signal notes that common classification frameworks may use broad metrics that default to network vectors. In this specific case, the actual attack surface is limited to the local device environment. You should focus on devices where untrusted apps could be installed, as the threat is not reachable from the public internet.

What should I do first to address CVE-2026-28573?

Begin by identifying which Android devices and applications in your environment are running the affected configuration. Since this is a local issue, prioritize devices where users have the freedom to install third-party applications, as these are the most likely vectors. Once identified, evaluate the criticality of the services on those devices and coordinate with your application teams to apply the necessary manufacturer or system updates.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished