Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description states local EoP from an unprivileged context with no UI; race condition raises AC to High; impact is full compromise of the NFC service context, hence C/I/A High.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In Nfc::eventCallback() of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android's NFC subsystem stems from a use-after-free condition in Nfc::eventCallback() within Nfc.h, triggerable via a race condition without user interaction or additional execution privileges. Affected devices covered by the Android Security Bulletin for Android 17 can have an unprivileged local process win the race and elevate to higher-privileged context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the ability to execute code on the target Android device (e.g., an installed app or already-foothold process) that can interact with the NFC subsystem and reach Nfc::eventCallback() - NFC must be enabled on the device for the event callback path to be reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Significant signal conflict requires explicit attention: the supplied CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) and score of 10.0 indicate remote, unauthenticated, network-reachable exploitation with scope-changing impact across all CIA - yet the CVE description explicitly states 'local escalation of privilege' with 'no additional execution privileges needed.' This is contradictory: a local EoP should carry AV:L, not AV:N, and the 10.0 rating appears inflated relative to the stated impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised app running on an unpatched Android device repeatedly triggers NFC events while concurrently freeing the underlying object referenced by Nfc::eventCallback(), winning the race and reusing the freed memory to hijack control flow within the NFC service context. Because no user interaction is required and no additional execution privileges are needed beyond the ability to interact with the NFC subsystem, the attacker elevates from an unprivileged app sandbox toward the NFC service's privileges, potentially pivoting further. … |
| Remediation | Apply the Android security patch level published in the Android 17 security bulletin at https://source.android.com/docs/security/bulletin/android-17 as soon as the OEM/carrier makes it available; on Pixel and other Google-managed devices this typically arrives as a monthly OTA, while third-party OEM devices depend on vendor build cadence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Android 17 devices, categorize by sensitivity (especially those with access to sensitive data or enterprise networks), and document device ownership. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-362 – Race Condition
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37571