Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires a local app on the device (AV:L, PR:L for sandboxed app), no user interaction, insecure default reliably triggers (AC:L), special app access enables broad data and integrity impact.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android's NFC subsystem allows unprivileged local apps to gain special app access permissions without user interaction, due to an insecure default value in NfcDispatcher.tryStartActivity. Affected Android builds are covered by the Android Security Bulletin (android-17 reference). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a local app installed on the affected Android build that can trigger NfcDispatcher.tryStartActivity - i.e., code execution on the device at normal app sandbox level is the only prerequisite per the description ('no additional execution privileges needed', 'User interaction is not needed'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals here conflict and need explicit calling out. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user installs a low-privilege app from a third-party store or sideload. The app silently invokes the NFC dispatch path so that tryStartActivity executes with the insecure default, causing the OS to auto-grant the app a special app access permission (e.g., Usage Access or Notification Listener). … |
| Remediation | Patch available per vendor advisory - install the Android security patch level referenced in https://source.android.com/docs/security/bulletin/android-17 (exact fix version not enumerated in the provided input; consult the bulletin for the SPL string and per-branch AOSP tags). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all production Android-17 devices; identify systems with NFC capability and active app ecosystems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-453 – Insecure Default Variable Initialization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37570