{"id":"ASB-A-456471290", "published":"2026-04-01T00:00:00Z", "modified":"2026-04-10T16:16:18.068628499Z", "aliases":["CVE-2026-0049", "A-456471290"], "details":"In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/external/dng_sdk", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2-next:0"}, {"fixed":"16-qpr2-next:2026-04-01"}]}], "versions":["16-qpr2-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/dng_sdk/+/90c04eb8818273d4df0773ec38cafceba504b151"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"247983476148946683277296250507153569546", "length":772}, "id":"ASB-A-456471290-7cd87949", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/90c04eb8818273d4df0773ec38cafceba504b151", "target":{"file":"source/dng_misc_opcodes.cpp", "function":"dng_opcode_MapTable::ProcessArea"}}, {"deprecated":false, "digest":{"line_hashes":["254162864987419516653037546255962976974", "174481379245101906330103818219884968188", "38818084593025721930813588560192806488", "340185059397985687769525146074280437867", "86925292005109110440163438978910335476", "266795867980431311308635298062714772849", "292619745112616878756990209523440410762", "241430027009489406701638282265980435329", "34460560712277407966214910576293203508", "265350394259128308862613924336694060068", "121637857954356614220299301086022153187"], "threshold":0.9}, "id":"ASB-A-456471290-f9995d57", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/90c04eb8818273d4df0773ec38cafceba504b151", "target":{"file":"source/dng_misc_opcodes.cpp"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2-next:0"}, {"fixed":"16-qpr2-next:2026-04-01"}]}], "versions":["16-qpr2-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e69ce2095f902a9f2ebd1871e9a0bda06908f0ab"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"163152872902536377393825292832473725374", "length":595}, "id":"ASB-A-456471290-16656d14", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e69ce2095f902a9f2ebd1871e9a0bda06908f0ab", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java", "function":"onHeaderDecoded"}}, {"deprecated":false, "digest":{"line_hashes":["311802817958744169613783294823276224481", "189357718234196864289704879659547444652", "131097225745498321480127830739941046329", "264246961496789808183792632663539740172", "191205946031846947260731142679398202158", "184246810390066199890375124026568279968", "271820447405255305604707319362235295110"], "threshold":0.9}, "id":"ASB-A-456471290-b2a5e389", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e69ce2095f902a9f2ebd1871e9a0bda06908f0ab", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java"}}]}}, {"package":{"name":"platform/external/dng_sdk", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-04-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/dng_sdk/+/fdfcd45175dff74138b9ed9324667ba383ea1230"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"247983476148946683277296250507153569546", "length":772}, "id":"ASB-A-456471290-32d78b2a", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/fdfcd45175dff74138b9ed9324667ba383ea1230", "target":{"file":"source/dng_misc_opcodes.cpp", "function":"dng_opcode_MapTable::ProcessArea"}}, {"deprecated":false, "digest":{"line_hashes":["254162864987419516653037546255962976974", "174481379245101906330103818219884968188", "38818084593025721930813588560192806488", "340185059397985687769525146074280437867", "86925292005109110440163438978910335476", "266795867980431311308635298062714772849", "292619745112616878756990209523440410762", "241430027009489406701638282265980435329", "34460560712277407966214910576293203508", "265350394259128308862613924336694060068", "121637857954356614220299301086022153187"], "threshold":0.9}, "id":"ASB-A-456471290-4b1dd808", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/fdfcd45175dff74138b9ed9324667ba383ea1230", "target":{"file":"source/dng_misc_opcodes.cpp"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-04-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a420571a3e2428ea6578fbd2736c3fbf8e8b5b5a"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"163152872902536377393825292832473725374", "length":595}, "id":"ASB-A-456471290-0d4e7c0d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a420571a3e2428ea6578fbd2736c3fbf8e8b5b5a", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java", "function":"onHeaderDecoded"}}, {"deprecated":false, "digest":{"line_hashes":["311802817958744169613783294823276224481", "189357718234196864289704879659547444652", "131097225745498321480127830739941046329", "264246961496789808183792632663539740172", "191205946031846947260731142679398202158", "184246810390066199890375124026568279968", "271820447405255305604707319362235295110"], "threshold":0.9}, "id":"ASB-A-456471290-c86bd9a2", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a420571a3e2428ea6578fbd2736c3fbf8e8b5b5a", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java"}}]}}, {"package":{"name":"platform/external/dng_sdk", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-04-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/dng_sdk/+/c40bd5325d326d5cc4f6a5944e0047542361dd58"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["254162864987419516653037546255962976974", "174481379245101906330103818219884968188", "38818084593025721930813588560192806488", "340185059397985687769525146074280437867", "86925292005109110440163438978910335476", "266795867980431311308635298062714772849", "292619745112616878756990209523440410762", "241430027009489406701638282265980435329", "34460560712277407966214910576293203508", "265350394259128308862613924336694060068", "121637857954356614220299301086022153187"], "threshold":0.9}, "id":"ASB-A-456471290-3f295ff1", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/c40bd5325d326d5cc4f6a5944e0047542361dd58", "target":{"file":"source/dng_misc_opcodes.cpp"}}, {"deprecated":false, "digest":{"function_hash":"247983476148946683277296250507153569546", "length":772}, "id":"ASB-A-456471290-cd7b1fb1", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/c40bd5325d326d5cc4f6a5944e0047542361dd58", "target":{"file":"source/dng_misc_opcodes.cpp", "function":"dng_opcode_MapTable::ProcessArea"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-04-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/3fcb2a5f4f371d3e47aee3d56d0789248ac716c4"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"163152872902536377393825292832473725374", "length":595}, "id":"ASB-A-456471290-dcc01e84", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3fcb2a5f4f371d3e47aee3d56d0789248ac716c4", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java", "function":"onHeaderDecoded"}}, {"deprecated":false, "digest":{"line_hashes":["311802817958744169613783294823276224481", "189357718234196864289704879659547444652", "131097225745498321480127830739941046329", "264246961496789808183792632663539740172", "191205946031846947260731142679398202158", "184246810390066199890375124026568279968", "271820447405255305604707319362235295110"], "threshold":0.9}, "id":"ASB-A-456471290-ec32c592", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3fcb2a5f4f371d3e47aee3d56d0789248ac716c4", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java"}}]}}, {"package":{"name":"platform/external/dng_sdk", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-04-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/dng_sdk/+/ce9b78475445e0ddae532f13f676e79a07109d80"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"247983476148946683277296250507153569546", "length":772}, "id":"ASB-A-456471290-2cc99a92", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/ce9b78475445e0ddae532f13f676e79a07109d80", "target":{"file":"source/dng_misc_opcodes.cpp", "function":"dng_opcode_MapTable::ProcessArea"}}, {"deprecated":false, "digest":{"line_hashes":["254162864987419516653037546255962976974", "174481379245101906330103818219884968188", "38818084593025721930813588560192806488", "340185059397985687769525146074280437867", "86925292005109110440163438978910335476", "266795867980431311308635298062714772849", "292619745112616878756990209523440410762", "241430027009489406701638282265980435329", "34460560712277407966214910576293203508", "265350394259128308862613924336694060068", "121637857954356614220299301086022153187"], "threshold":0.9}, "id":"ASB-A-456471290-f29145b4", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/ce9b78475445e0ddae532f13f676e79a07109d80", "target":{"file":"source/dng_misc_opcodes.cpp"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-04-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/f130bc90df4f6bb6237cc823824ef13c53b3a2f0"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"163152872902536377393825292832473725374", "length":595}, "id":"ASB-A-456471290-3e027da2", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/f130bc90df4f6bb6237cc823824ef13c53b3a2f0", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java", "function":"onHeaderDecoded"}}, {"deprecated":false, "digest":{"line_hashes":["311802817958744169613783294823276224481", "189357718234196864289704879659547444652", "131097225745498321480127830739941046329", "264246961496789808183792632663539740172", "191205946031846947260731142679398202158", "184246810390066199890375124026568279968", "271820447405255305604707319362235295110"], "threshold":0.9}, "id":"ASB-A-456471290-e09659a8", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/f130bc90df4f6bb6237cc823824ef13c53b3a2f0", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java"}}]}}, {"package":{"name":"platform/external/dng_sdk", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-04-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/dng_sdk/+/e87e58602d36581247f158c6fae5a927267a8954"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["254162864987419516653037546255962976974", "174481379245101906330103818219884968188", "38818084593025721930813588560192806488", "340185059397985687769525146074280437867", "86925292005109110440163438978910335476", "266795867980431311308635298062714772849", "292619745112616878756990209523440410762", "241430027009489406701638282265980435329", "34460560712277407966214910576293203508", "265350394259128308862613924336694060068", "121637857954356614220299301086022153187"], "threshold":0.9}, "id":"ASB-A-456471290-6764db35", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/e87e58602d36581247f158c6fae5a927267a8954", "target":{"file":"source/dng_misc_opcodes.cpp"}}, {"deprecated":false, "digest":{"function_hash":"247983476148946683277296250507153569546", "length":772}, "id":"ASB-A-456471290-bbabd18f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/external/dng_sdk/+/e87e58602d36581247f158c6fae5a927267a8954", "target":{"file":"source/dng_misc_opcodes.cpp", "function":"dng_opcode_MapTable::ProcessArea"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-04-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/097784954bf6d5e80d9759bd3d0db208b014f5ba"], "severity":"Critical", "spl":"2026-04-01", "types":["DoS"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["311802817958744169613783294823276224481", "189357718234196864289704879659547444652", "131097225745498321480127830739941046329", "264246961496789808183792632663539740172", "191205946031846947260731142679398202158", "184246810390066199890375124026568279968", "271820447405255305604707319362235295110"], "threshold":0.9}, "id":"ASB-A-456471290-03247c38", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/097784954bf6d5e80d9759bd3d0db208b014f5ba", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java"}}, {"deprecated":false, "digest":{"function_hash":"163152872902536377393825292832473725374", "length":595}, "id":"ASB-A-456471290-675e2242", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/097784954bf6d5e80d9759bd3d0db208b014f5ba", "target":{"file":"core/java/com/android/internal/widget/LocalImageResolver.java", "function":"onHeaderDecoded"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-04-01"}]}