Severe StrongBox Vulnerability Patched in Android

Summary

Google released Android security updates addressing two vulnerabilities: CVE-2026-0049, a critical denial-of-service flaw in Android's Framework component exploitable by local attackers without privileges, and CVE-2025-48651, a high-severity vulnerability in StrongBox (Android's hardware-backed secure keystore) affecting implementations from Google, NXP, STMicroelectronics, and Thales. Neither vulnerability has been exploited in the wild, though technical details of the StrongBox flaw remain undisclosed.

Full text

The latest Android security updates address only two vulnerabilities: a critical denial-of-service (DoS) issue, and a StrongBox flaw whose impact does not appear to have been disclosed. The DoS vulnerability is tracked as CVE-2026-0049 and it affects Android’s Framework component. The weakness can be exploited by a local attacker with no additional execution privileges and without user interaction to cause a DoS condition. The second vulnerability affects StrongBox, Android’s hardware-backed secure keystore that adds a higher level of protection for cryptographic keys. StrongBox works by storing and managing keys inside a dedicated Secure Element (SE), a separate, tamper-resistant hardware chip that includes its own processor, isolated memory, a hardware-based random number generator, with strong defenses against physical and side-channel attacks. The StrongBox flaw is tracked as CVE-2025-48651 and it has been assigned a ‘high severity’ rating, but it’s unclear what it can be exploited for. StrongBox vulnerabilities in general could allow key extraction, privilege escalation, or triggering a DoS condition. Technical details will likely become available at a later time. Advertisement. Scroll to continue reading. According to the Android security bulletin, CVE-2025-48651 affects StrongBox implementations from Google, NXP, STMicroelectronics, and Thales. Neither of the vulnerabilities appears to have been exploited in the wild. Related: Android Update Patches Exploited Qualcomm Zero-Day Related: Android Zero-Days Patched in December 2025 Security Update Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs T-Mobile Sets the Record Straight on Latest Data Breach FilingApple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026Toy Giant Hasbro Hit by CyberattackExploited Zero-Day Among 21 Vulnerabilities Patched in ChromeFBI Warns of Data Security Risks From China-Made Mobile AppsGoogle Addresses Vertex Security Issues After Researchers Weaponize AI AgentsCensys Raises $70 Million for Internet Intelligence Platform Latest News Critical Flowise Vulnerability in Attacker CrosshairsGrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataWebinar Today: Why Automated Pentesting Alone Is Not EnoughGPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack Medusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderWhite House Seeks to Slash CISA Funding by $707 MillionWynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-0049
• cve — CVE-2025-48651

Entities