Critical Android zero-interaction flaw can crash devices with no user action

Google’s April 2026 Android Security Bulletin fixes a critical Framework flaw, CVE-2026-0049, that can cause a local denial-of-service attack without any user interaction and without extra execution privileges. Google says the issue affects Android 14, 15, 16, and 16 QPR2, and devices on security patch level 2026-04-05 or later address all issues in the bulletin.

This matters because the bug sits in the Android Framework, not in a niche vendor component. Google describes it as the most severe issue in this month’s bulletin and says exploitation needs no user action, which lowers the barrier for attackers compared with phishing-style Android threats that depend on clicks, downloads, or permission prompts.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The bulletin also fixes CVE-2025-48651, a high-severity StrongBox issue that affects components from Google, NXP, STMicroelectronics, and Thales. StrongBox is the hardware-backed environment Android uses for sensitive key storage, so a flaw there matters well beyond a single app crash or service failure.

What Google fixed in April 2026

Google split the release into two patch levels. The 2026-04-01 patch level covers the core Android operating system issues, including CVE-2026-0049 in Framework. The 2026-04-05 patch level includes everything from 2026-04-01 plus vendor and hardware-related fixes such as the StrongBox issue.

The bulletin says there are no security issues addressed in Google Play system updates this month under Project Mainline. That means users should not assume Play system updates alone cover the headline bug. They need the device security patch itself.

Google also says Android partners receive notice of these issues at least a month before publication. That gives phone makers time to prepare updates, although actual rollout speed still depends on the manufacturer and carrier.

Key details at a glance

Why the StrongBox fix matters too

CVE-2025-48651 is listed as a high-severity StrongBox issue under multiple vendors. Google, NXP, STMicroelectronics, and Thales each appear in the bulletin, which suggests the flaw spans several StrongBox implementations rather than a single isolated hardware supplier.

StrongBox protects highly sensitive cryptographic material, so even when a StrongBox issue does not become the headline CVE of the month, it still deserves attention. Weaknesses in secure key storage can affect authentication, app trust, and device integrity across the wider Android ecosystem. This last point is an inference based on StrongBox’s role in Android security architecture and Google’s severity rating.

Google notes that some issues marked with an asterisk next to the bug ID are not publicly available yet, and their fixes may live in the latest binary drivers for Pixel devices. That applies to the StrongBox entry here, so public technical details remain limited for now.

What users should do now

• Check your device’s Android security patch level in Settings and look for 2026-04-05 or later.
• Install the April 2026 security update as soon as your phone maker releases it.
• Keep Google Play Protect enabled, because Google says it actively warns users about potentially harmful apps.
• Do not assume a Google Play system update alone fixes this month’s most serious bug.

FAQ