CVE-2021-39670

MEDIUM

Android - Local Denial of Service via WallpaperManager setStream Input Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-39670. PoCs published by Supersonic.

AI-analyzed exploit summary This repository contains a functional Android application that demonstrates two permanent denial-of-service (PDoS) vulnerabilities in Android's WallpaperManagerService (CVE-2021-39670 and CVE-2021-39690). The exploit triggers device crashes/reboots by either exhausting memory via a malicious bitmap or manipulating display padding.

Description

In setStream of WallpaperManager.java, there is a possible way to cause a permanent DoS due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-204087139

Exploits (1)

nomisec WORKING POC 14 stars
by Supersonic · poc
https://github.com/Supersonic/Wallbreak

This repository contains a functional Android application that demonstrates two permanent denial-of-service (PDoS) vulnerabilities in Android's WallpaperManagerService (CVE-2021-39670 and CVE-2021-39690). The exploit triggers device crashes/reboots by either exhausting memory via a malicious bitmap or manipulating display padding.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Android WallpaperManagerService (versions prior to patches in May/June 2022)
No auth needed
Prerequisites: Android device with vulnerable WallpaperManagerService · Ability to install and run the APK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://source.android.com/security/bulletin/2022-05-01

Scores

CVSS v3 5.5
EPSS 0.0019
EPSS Percentile 8.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-770
Status published
Products (2)
google/android 12.0
google/android 12.1
Published May 10, 2022
Tracked Since Feb 18, 2026