Skip to main content

Google Android CVE-2026-0075

| EUVDEUVD-2026-33791 MEDIUM
SQL Injection (CWE-89)
2026-06-01 google_android GHSA-95qw-g548-3232
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:29 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
5.9 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.9

DescriptionCVE.org

In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

SQL injection across multiple contacts database functions in Google Android enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated privileges or user interaction. The flaw allows an unprivileged local process or malicious application to inject arbitrary SQL into contacts database queries, resulting in unauthorized read, write, and partial denial-of-service impact against contact data. No public exploit has been identified at time of analysis, and EPSS probability stands at 0.01%, consistent with a local-only attack surface, though the absence of any privilege prerequisite (PR:N) lowers the bar for any attacker already on the device.

Technical ContextAI

Android's contacts provider stores data in a SQLite database accessed through a content provider layer. CWE-89 (SQL Injection) indicates that one or more of the functions responsible for querying or manipulating this database fail to properly parameterize or sanitize caller-supplied input before constructing SQL statements. On Android, content providers can be accessible to third-party applications depending on export permissions and calling app grants, meaning a malicious app with no declared permissions could potentially invoke these vulnerable functions. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covers the full Android application platform across all architectures, and the EUVD confirms exposure across four distinct release lines: Android 14, Android 15, Android 16, and Android 16-qpr2.

RemediationAI

Apply the June 2026 Android Security Bulletin patch, referenced at https://source.android.com/docs/security/bulletin/2026/2026-06-01; this is the primary fix. Exact patched build versions are not independently confirmed from the available input data - consult the bulletin directly and verify OEM-specific patch rollout timelines, as Android updates are distributed through device manufacturers and carriers who may lag behind the bulletin date. As a compensating control while awaiting the patch, organizations managing enterprise Android deployments via MDM can restrict installation of untrusted or sideloaded applications, reducing the local attacker footprint, though this does not eliminate risk from malicious apps distributed through legitimate channels. Users on affected versions (Android 14, 15, 16, 16-qpr2) should prioritize applying monthly security updates as they become available from their device OEM.

Share

CVE-2026-0075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy