Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In applySimpleFieldMaxSize of DataRowHandler.java, there is a possible way to insert a large contact name due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local denial of service in Google Android's contacts subsystem allows a low-privileged local user to crash or destabilize the Contacts provider by inserting an oversized contact name field. Affected platforms include Android 14, 15, 16-qpr2, and 16. No special privileges beyond a standard app context are required, and no user interaction is needed, making this exploitable by any installed app with contacts write access. No public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in applySimpleFieldMaxSize() within DataRowHandler.java, a class responsible for enforcing field size constraints when writing contact data rows to the Android Contacts content provider (ContentProvider framework). CWE-20 (Improper Input Validation) identifies the root cause: the method fails to correctly enforce the maximum allowable size for contact name fields, permitting an abnormally large value to be committed. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering the Android application-layer contacts stack across four named releases. This is an application-layer flaw, not a kernel or hardware issue, and its scope is limited to availability (A:H) with no confidentiality or integrity impact.
RemediationAI
Apply the patches distributed in Google's June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01). An exact patched build version is not independently confirmed from the available data - consult the bulletin directly for patch level identifiers (e.g., 2026-06-01 security patch level or later). As a compensating control for devices pending the update, administrators managing enterprise Android fleets can use Mobile Device Management (MDM) policies to restrict which applications are granted the WRITE_CONTACTS permission, directly limiting the pool of apps that could trigger this condition. Note that revoking contacts write access from legitimate apps may break contact sync and communication features. No workaround fully mitigates the issue without the vendor patch.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33797
GHSA-4ppr-vp6x-67cw