SECURITYWEEK reports that a critical denial-of-service vulnerability in Android’s Framework component and a separate StrongBox flaw have been patched in the latest Android security update. The DoS issue is tracked as CVE-2026-0049 and can be triggered by a local attacker with no extra privileges or user interaction.
The StrongBox vulnerability, tracked as CVE-2025-48651, affects Android’s hardware-backed keystore and is rated high severity, with potential impacts including key extraction or privilege escalation, though the article notes it is unclear what it could be exploited for and that none of the flaws appear to have been exploited in the wild. According to the Android security bulletin, CVE-2025-48651 affects StrongBox implementations from Google, NXP, STMicroelectronics, and Thales. The updates address only these two vulnerabilities, and the piece is written by Eduard Kovacs and dated 7 April 2026.