Skip to main content

Android Contacts Provider CVE-2026-28576

| EUVDEUVD-2026-37573 CRITICAL
SQL Injection (CWE-89)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
vuln.today AI
5.5 MEDIUM

Description states local information disclosure exploitable by an app without extra privileges, so AV:L and PR:L (installed-app context); only confidentiality is impacted, hence I:N/A:N.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:22 vuln.today
CVE Published
Jun 17, 2026 - 07:19 cve.org
CRITICAL 10.0

DescriptionCVE.org

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install unprivileged malicious app on device
Delivery
Resolve Contacts Provider content URI
Exploit
Send query with injected SQL selection
Execution
Bypass row-level access restrictions
Impact
Exfiltrate contacts data off-device

Vulnerability AssessmentAI

Exploitation Exploitation requires a local context on the Android device - typically a malicious or compromised app installed on the handset that can issue ContentResolver queries to the Contacts Provider URI; no user interaction and no additional execution privileges (such as the READ_CONTACTS runtime permission) are required per the description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict materially: the supplied CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with all impacts High and scope-change High) implies an unauthenticated remote critical bug, but the CVE description explicitly states 'local information disclosure with no additional execution privileges needed,' which is consistent with a malicious or compromised local app abusing the provider - not a network attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user installs an otherwise innocuous-looking app from a third-party store (or a sideloaded APK) that does not request the READ_CONTACTS permission, so the user grants no sensitive permissions at install. At runtime the app sends a crafted query through ContentResolver to the Contacts Provider with an injected SQL fragment that escapes the intended selection clause, returning rows from the contacts database the app should not be able to read. …
Remediation Apply the Android security patch level published in the Android 17 bulletin (https://source.android.com/docs/security/bulletin/android-17) - devices reporting that SPL or later include the Contacts Provider fix; this is the primary and recommended remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Android devices by OS version; flag devices running pre-Android 17 for asset tracking; document contact data sensitivity tiers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy