Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Description states local information disclosure exploitable by an app without extra privileges, so AV:L and PR:L (installed-app context); only confidentiality is impacted, hence I:N/A:N.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
2DescriptionCVE.org
In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local context on the Android device - typically a malicious or compromised app installed on the handset that can issue ContentResolver queries to the Contacts Provider URI; no user interaction and no additional execution privileges (such as the READ_CONTACTS runtime permission) are required per the description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict materially: the supplied CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with all impacts High and scope-change High) implies an unauthenticated remote critical bug, but the CVE description explicitly states 'local information disclosure with no additional execution privileges needed,' which is consistent with a malicious or compromised local app abusing the provider - not a network attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user installs an otherwise innocuous-looking app from a third-party store (or a sideloaded APK) that does not request the READ_CONTACTS permission, so the user grants no sensitive permissions at install. At runtime the app sends a crafted query through ContentResolver to the Contacts Provider with an injected SQL fragment that escapes the intended selection clause, returning rows from the contacts database the app should not be able to read. … |
| Remediation | Apply the Android security patch level published in the Android 17 bulletin (https://source.android.com/docs/security/bulletin/android-17) - devices reporting that SPL or later include the Contacts Provider fix; this is the primary and recommended remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Android devices by OS version; flag devices running pre-Android 17 for asset tracking; document contact data sensitivity tiers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37573