External risk intelligence

Android PackageInstaller Memory Exhaustion Denial of Service

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-28575

A logic error in Android's PackageInstaller can cause memory exhaustion, leading to a local denial of service. This vulnerability does not require special access or user interaction to exploit, potentially impacting device operations. The attack vector is local, suggesting a limited external threat.

Denial of Service

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

The vulnerability exists within the Android PackageInstaller system service, which is a local component of the Android operating system. It requires local access to the device's internal framework services and is not a network-accessible service, web application, or edge gateway.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability within Android's PackageInstaller that could allow an attacker to cause memory exhaustion, potentially leading to a denial of service on affected devices. While the vulnerability is rated as critical, current analysis suggests it may have a limited attack surface due to its local nature.

  • A flaw in Android's package installer can crash devices.
  • Critical flaw found in core Android system component.
  • Confirm relevance and exposure for Android devices.

Attack Path

How an attacker could exploit the issue

An attacker could trigger a memory exhaustion vulnerability within the Android PackageInstaller system service. This could lead to a local denial of service, disrupting the device's normal operation.

  • No special access needed.
  • Vulnerable code directly triggered.
  • Denial of service risk.

Live Threat

Current exploitation, exposure, and threat context

A logic error in the Android PackageInstaller could lead to memory exhaustion, potentially causing a local denial of service. This could affect the normal operation of the device's package management system.

  • System services could become unresponsive.
  • Local exploitation could exhaust memory.
  • Device denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability resides within the Android PackageInstaller system service, a core component of the operating system. Real-world ownership likely falls to mobile device management (MDM) teams, platform security teams, or the teams responsible for the Android OS build if it's a custom enterprise image. The first practical step is to identify all Android devices within the environment, confirm their exposure to user interaction (though this CVE states it's not needed for exploitation), and then assess business criticality before planning remediation.

  • Identify and confirm Android device ownership.
  • Verify device exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-28575 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for a memory exhaustion attack, potentially leading to denial of service. Such issues can cause an ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Android PackageInstaller service?

The PackageInstaller is a fundamental Android system service responsible for handling the installation, updates, and removal of applications. It manages the process of parsing package files, verifying signatures, and ensuring that software is correctly integrated into the operating system's environment. Because it interacts directly with core system frameworks, it acts as a gatekeeper for what software can run on a device.

What does CWE-400 mean for CVE-2026-28575?

This CVE involves a weakness class known as CWE-400, or Uncontrolled Resource Consumption. In plain terms, it means the software does not properly limit the amount of system memory it uses when performing a specific task. By triggering this logic error, an attacker can force the system to consume so much memory that it becomes overwhelmed, leading to a local denial of service where the device stops responding correctly.

How is this memory exhaustion triggered?

The vulnerability is triggered by a logic error within the PackageInstallerSession code, which causes the service to consume excessive memory. It is important to note that this specific flaw requires local access to interact with the system service. Standard network-based requests or traffic sent to the device from the internet will not trigger this vulnerability.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that risk for this vulnerability is very unlikely for typical deployments. Because the flaw exists deep within the internal Android framework services—rather than in a web application or internet-facing network service—it is not reachable from the outside. You should prioritize assets where users or applications might have local access to trigger system-level operations.

How should I respond to this Android vulnerability?

Your first step is to perform an inventory of Android devices in your environment to understand your total device population. Since this affects a core system component, work with your mobile device management or platform security teams to track Android security bulletin updates from your device manufacturers. Monitor for official system patches that address the underlying logic error in the package management framework.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished