Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.
AnalysisAI
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
AssistFeedbackService is a system service in TECNO Pova7 Pro 5G firmware that processes feedback from applications. The vulnerability stems from CWE-88 (improper neutralization of argument delimiters in a command), indicating that user-controlled input from local applications is passed unsanitized to shell command execution functions. This allows third-party apps installed on the device to inject shell metacharacters and arbitrary commands that execute in the system context. The CPE identifier (cpe:2.3:a:tecno_mobile:tecno_pova7_pro_5g) indicates this is a firmware/system application vulnerability affecting the specific TECNO Pova7 Pro 5G model line.
RemediationAI
Users should immediately check the TECNO Mobile security updates portal at https://security.tecno.com/SRC/securityUpdates for available firmware patches addressing this AssistFeedbackService vulnerability. Apply the latest firmware version when available through Settings > System > System Update on affected TECNO Pova7 Pro 5G devices. As an interim mitigation pending patch deployment, restrict installation of apps from untrusted sources (enable "Install from Unknown Sources" toggle off) and regularly review installed applications for suspicious behavior or unexpected permissions requests. Avoid sideloading APKs from unofficial channels until a patch is released.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18140
GHSA-pq33-qwwq-ggx5