Skip to main content

Google Android CVE-2026-0085

| EUVDEUVD-2026-33797 MEDIUM
Improper Input Validation (CWE-20)
2026-06-01 google_android GHSA-4ppr-vp6x-67cw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:33 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In applySimpleFieldMaxSize of DataRowHandler.java, there is a possible way to insert a large contact name due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local denial of service in Google Android's contacts subsystem allows a low-privileged local user to crash or destabilize the Contacts provider by inserting an oversized contact name field. Affected platforms include Android 14, 15, 16-qpr2, and 16. No special privileges beyond a standard app context are required, and no user interaction is needed, making this exploitable by any installed app with contacts write access. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in applySimpleFieldMaxSize() within DataRowHandler.java, a class responsible for enforcing field size constraints when writing contact data rows to the Android Contacts content provider (ContentProvider framework). CWE-20 (Improper Input Validation) identifies the root cause: the method fails to correctly enforce the maximum allowable size for contact name fields, permitting an abnormally large value to be committed. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering the Android application-layer contacts stack across four named releases. This is an application-layer flaw, not a kernel or hardware issue, and its scope is limited to availability (A:H) with no confidentiality or integrity impact.

RemediationAI

Apply the patches distributed in Google's June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01). An exact patched build version is not independently confirmed from the available data - consult the bulletin directly for patch level identifiers (e.g., 2026-06-01 security patch level or later). As a compensating control for devices pending the update, administrators managing enterprise Android fleets can use Mobile Device Management (MDM) policies to restrict which applications are granted the WRITE_CONTACTS permission, directly limiting the pool of apps that could trigger this condition. Note that revoking contacts write access from legitimate apps may break contact sync and communication features. No workaround fully mitigates the issue without the vendor patch.

Share

CVE-2026-0085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy