Skip to main content

Android CVE-2026-0082

| EUVDEUVD-2026-37570 CRITICAL
Insecure Default Variable Initialization (CWE-453)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Requires a local app on the device (AV:L, PR:L for sandboxed app), no user interaction, insecure default reliably triggers (AC:L), special app access enables broad data and integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:26 vuln.today
CVE Published
Jun 17, 2026 - 07:13 cve.org
CRITICAL 10.0

DescriptionCVE.org

In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android's NFC subsystem allows unprivileged local apps to gain special app access permissions without user interaction, due to an insecure default value in NfcDispatcher.tryStartActivity. Affected Android builds are covered by the Android Security Bulletin (android-17 reference). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious app on device
Delivery
Invoke NFC dispatch path
Exploit
Trigger insecure default in tryStartActivity
Execution
Auto-assigned special app access granted
Impact
Abuse elevated permission to read user data

Vulnerability AssessmentAI

Exploitation Requires a local app installed on the affected Android build that can trigger NfcDispatcher.tryStartActivity - i.e., code execution on the device at normal app sandbox level is the only prerequisite per the description ('no additional execution privileges needed', 'User interaction is not needed'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals here conflict and need explicit calling out. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user installs a low-privilege app from a third-party store or sideload. The app silently invokes the NFC dispatch path so that tryStartActivity executes with the insecure default, causing the OS to auto-grant the app a special app access permission (e.g., Usage Access or Notification Listener). …
Remediation Patch available per vendor advisory - install the Android security patch level referenced in https://source.android.com/docs/security/bulletin/android-17 (exact fix version not enumerated in the provided input; consult the bulletin for the SPL string and per-branch AOSP tags). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all production Android-17 devices; identify systems with NFC capability and active app ecosystems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-0082 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy