Thales, STMicroelectronics and NXP: Critical Android “Zero-Interaction” Vulnerability Enables DoS Attacks

Google Patches Critical Zero-Interaction Android Vulnerability in April 2026 Security Update

Google’s April 2026 Android Security Bulletin addresses multiple high-risk vulnerabilities, including a critical zero-interaction flaw in the Android Framework. The most severe issue, CVE-2026-0049, allows attackers to execute a local denial-of-service (DoS) attack without user interaction or elevated privileges, potentially rendering affected devices unresponsive. The vulnerability impacts Android versions 14, 15, 16, and 16-qpr2, with patches released via the 2026-04-01 security patch level.

Additionally, the update resolves CVE-2025-48651, a high-severity flaw in the StrongBox hardware-backed key storage system, affecting implementations from Google, NXP, STMicroelectronics, and Thales. This vulnerability compromises the security of cryptographic keys, necessitating the 2026-04-05 patch level for full protection.

Google has provided device manufacturers with advance notice to facilitate timely updates. Users can verify protection by checking their device’s security patch level, with 2026-04-05 or later ensuring full mitigation. The Android Open Source Project (AOSP) will receive source code patches within 48 hours of the bulletin’s release.

Source: https://cybersecuritynews.com/android-zero-interaction-vulnerability/

NXP Semiconductors cybersecurity rating report: https://www.rankiteo.com/company/nxp-semiconductors

Thales cybersecurity rating report: https://www.rankiteo.com/company/thales

STMicroelectronics cybersecurity rating report: https://www.rankiteo.com/company/stmicroelectronics

"id": "NXPTHASTM1775572928",
"linkid": "nxp-semiconductors, thales, stmicroelectronics",
"type": "Vulnerability",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'customers_affected': 'Android users (versions 14, 15, '
                                              '16, 16-qpr2)',
                        'industry': 'Software/Operating Systems',
                        'location': 'Global',
                        'name': 'Google',
                        'type': 'Technology Company'},
                       {'industry': 'Hardware/Semiconductors',
                        'location': 'Global',
                        'name': 'NXP',
                        'type': 'Semiconductor Manufacturer'},
                       {'industry': 'Hardware/Semiconductors',
                        'location': 'Global',
                        'name': 'STMicroelectronics',
                        'type': 'Semiconductor Manufacturer'},
                       {'industry': 'Cybersecurity/Hardware',
                        'location': 'Global',
                        'name': 'Thales',
                        'type': 'Technology Company'}],
 'attack_vector': 'Local',
 'customer_advisories': 'Users advised to verify their device’s security patch '
                        'level (2026-04-05 or later).',
 'data_breach': {'sensitivity_of_data': 'Cryptographic keys (StrongBox '
                                        'vulnerability)'},
 'date_publicly_disclosed': '2026-04',
 'description': 'Google’s April 2026 Android Security Bulletin addresses '
                'multiple high-risk vulnerabilities, including a critical '
                'zero-interaction flaw in the Android Framework '
                '(CVE-2026-0049) that allows attackers to execute a local '
                'denial-of-service (DoS) attack without user interaction or '
                'elevated privileges. The vulnerability impacts Android '
                'versions 14, 15, 16, and 16-qpr2. Additionally, the update '
                'resolves CVE-2025-48651, a high-severity flaw in the '
                'StrongBox hardware-backed key storage system, affecting '
                'implementations from Google, NXP, STMicroelectronics, and '
                'Thales.',
 'impact': {'downtime': 'Potential device unresponsiveness',
            'operational_impact': 'Denial-of-service (DoS) attack risk, '
                                  'compromised cryptographic key security',
            'systems_affected': 'Android devices (versions 14, 15, 16, '
                                '16-qpr2)'},
 'investigation_status': 'Patched',
 'post_incident_analysis': {'corrective_actions': 'Patches released; source '
                                                  'code updates to AOSP.',
                            'root_causes': 'Critical zero-interaction '
                                           'vulnerability in Android Framework '
                                           '(CVE-2026-0049) and StrongBox '
                                           'hardware-backed key storage flaw '
                                           '(CVE-2025-48651).'},
 'recommendations': 'Users should update to security patch level 2026-04-05 or '
                    'later to ensure full protection.',
 'references': [{'source': 'Google Android Security Bulletin'}],
 'response': {'communication_strategy': 'Android Security Bulletin published; '
                                        'users advised to verify security '
                                        'patch level',
              'containment_measures': 'Patches released via 2026-04-01 and '
                                      '2026-04-05 security patch levels',
              'remediation_measures': 'Security updates provided to device '
                                      'manufacturers; AOSP source code patches '
                                      'within 48 hours'},
 'stakeholder_advisories': 'Device manufacturers notified in advance for '
                           'timely updates.',
 'title': 'Google Patches Critical Zero-Interaction Android Vulnerability in '
          'April 2026 Security Update',
 'type': 'Vulnerability',
 'vulnerability_exploited': ['CVE-2026-0049', 'CVE-2025-48651']}