Google has released its April 2026 Android Security Bulletin, and the headline issue is a serious flaw that security researchers are calling a “zero-interaction” vulnerability — one that requires no click, no download, and no permission grant from the victim to be triggered. The vulnerability, tracked as CVE-2026-0049, resides in the core Android Framework and can be exploited to cause a local denial-of-service (DoS) condition on affected devices.

Google’s bulletin confirms that “the most severe of these issues is a critical security vulnerability in the Framework component that could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.” The flaw was disclosed as part of the 2026-04-01 security patch level, and source code patches have been pushed to the Android Open Source Project (AOSP) repository.

Vulnerability at a Glance

CVE IDCVE-2026-0049
ComponentAndroid Framework (AOSP)
TypeLocal Denial of Service (DoS)
User InteractionNone required
Privileges RequiredNone
CVSS 3.1 Score6.2 (Medium) — some sources rate as Critical
Affected VersionsAndroid 14, 15, 16, 16-qpr2
Patch Level2026-04-01 or later
Patch StatusAvailable — apply immediately

What Is the Vulnerability?

CVE-2026-0049 is a flaw in Android’s Framework layer — the core software layer that manages application lifecycle, system services, and inter-app communication. According to technical analysis, the vulnerability involves resource exhaustion in the onHeaderDecoded function of LocalImageResolver.java, which can be triggered to cause a persistent denial-of-service state.

In practical terms, a successful exploitation of this flaw could cause a device’s core services to crash or become unresponsive, effectively “bricking” the software temporarily. The device would likely require a hard reset to recover, and in worst-case scenarios, instability could persist across reboots.

“User interaction is not needed for exploitation.”

— Google April 2026 Android Security Bulletin

What makes this particularly notable is the zero-interaction nature of the attack vector. Unlike phishing-based exploits or malicious app installations, an attacker does not need to trick the user into taking any action whatsoever. This significantly lowers the barrier to exploitation.

⚠ Severity Note There is some inconsistency in how different sources characterize the severity of this flaw. Google’s official bulletin classifies it as “critical” based on potential impact, while the CVSS 3.1 base score of 6.2 places it in the “medium” range. This discrepancy reflects the difference between raw scoring metrics and real-world exploitability assessment. Either way, the vulnerability warrants prompt patching.

Who Is Affected?

Google has confirmed the following Android versions are vulnerable:

Android 14 Android 15 Android 16 Android 16-qpr2

These versions collectively represent the vast majority of active Android devices worldwide, given that older versions such as Android 12 and 13 are gradually being phased out of mainstream support. Device manufacturers including Samsung have already begun incorporating the April 2026 patch into their own security maintenance releases.

What Else Is in the April 2026 Bulletin?

The bulletin is split into two security patch levels. The 2026-04-01 patch level addresses the Framework DoS flaw (CVE-2026-0049) and other core AOSP issues. The subsequent 2026-04-05 patch level builds on those fixes and adds mitigations for vendor-specific hardware vulnerabilities.

Notably, the update also resolves CVE-2025-48651, a high-severity vulnerability in Android’s StrongBox hardware-backed key storage system. StrongBox is a dedicated secure hardware component responsible for protecting cryptographic keys — the kind used for device encryption, biometric authentication, and secure payments. Components from Google, NXP, STMicroelectronics, and Thales are all affected by this secondary flaw, making the full 2026-04-05 patch level important to obtain for complete protection.

What You Should Do Right Now

📱 How to Update Your Android Device

  1. Open your device’s Settings app.
  2. Scroll to About Phone (or About Device on some brands).
  3. Tap Android Version or Security Patch Level to check your current status.
  4. Return to Settings and go to System → Software Update (wording varies by manufacturer).
  5. Download and install any available update. For full protection, ensure your patch level reads 2026-04-05 or later.
  6. Restart your device to complete the installation.

Google notes that device manufacturers were notified of these vulnerabilities at least one month in advance of the bulletin’s publication, providing time to prepare and test updates. However, rollout timelines vary by manufacturer and carrier — Pixel devices typically receive updates first, followed by Samsung, and then other brands on their own schedules.

If an update is not yet available for your specific device, the most practical interim precaution is to avoid installing apps from unknown or unverified sources, as this limits the potential local attack surface. Keep an eye on your device manufacturer’s security advisory page for update availability.

Context: A Busy Start to April for Google Security

CVE-2026-0049 arrives alongside a broader set of security concerns for Google’s ecosystem this month. Chrome users have also received separate warnings about an actively exploited zero-day vulnerability, and there have been advisories relating to credential theft targeting the same user base. The April 2026 Android bulletin represents Google’s routine monthly response mechanism — and in this case, it carries genuinely significant risk given the zero-interaction nature of the primary flaw.

The bottom line: a fix exists, it is available now, and applying it is the single most effective action Android users can take to protect themselves.