Skip to main content

Google Android CVE-2026-28581

| EUVDEUVD-2026-33814 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-01 google_android GHSA-7cq5-j958-39ff
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:36 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
4.0 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 4.0

DescriptionCVE.org

In fixInitiatingUserIfNecessary of CallIntentProcessor.java, there is a possible way to make an emergency call due to a logic error in the code. This could lead to local with null execution privileges needed. User interaction is null for exploitation.

AnalysisAI

Unauthorized emergency call placement is possible on Google Android 14, 15, 16, and 16-QPR2 due to a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. An unauthenticated local actor - requiring no privileges on the device - can exploit this flaw to initiate an emergency call outside of intended user controls. No public exploit has been identified at time of analysis, and SSVC assessment indicates no current exploitation activity.

Technical ContextAI

The vulnerability resides in Android's telephony subsystem, specifically in CallIntentProcessor.java, which is responsible for processing and routing call intents through the Android telephony stack. The affected method fixInitiatingUserIfNecessary is designed to validate or correct the identity of the user initiating a call before processing it. A logic error in this method fails to correctly enforce privilege or identity checks, allowing the emergency call pathway to be triggered without appropriate authorization. Affected products are identified by CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* spanning Android 14, 15, 16, and 16-QPR2. No CWE is formally assigned, but the root cause class is consistent with CWE-840 (Business Logic Errors) or CWE-284 (Improper Access Control), as the flaw bypasses an intended gating check rather than corrupting memory or leaking data.

RemediationAI

The primary fix is to apply the Android Security Patch Level (SPL) from the June 2026 Android Security Bulletin, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact patched version number or build ID is not independently confirmed from the provided data - patch availability is confirmed per vendor advisory only. Device manufacturers (OEMs) must integrate and distribute this patch in their own firmware updates, so patch availability will vary by device and vendor. As a compensating control prior to patch deployment, organizations managing corporate Android fleets via Mobile Device Management (MDM) solutions can restrict or disable dialer application access for restricted-user profiles, reducing the attack surface on shared or kiosk devices. This mitigation does not address the root logic flaw and may impact legitimate emergency call access in some deployment scenarios.

Share

CVE-2026-28581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy