Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
In fixInitiatingUserIfNecessary of CallIntentProcessor.java, there is a possible way to make an emergency call due to a logic error in the code. This could lead to local with null execution privileges needed. User interaction is null for exploitation.
AnalysisAI
Unauthorized emergency call placement is possible on Google Android 14, 15, 16, and 16-QPR2 due to a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. An unauthenticated local actor - requiring no privileges on the device - can exploit this flaw to initiate an emergency call outside of intended user controls. No public exploit has been identified at time of analysis, and SSVC assessment indicates no current exploitation activity.
Technical ContextAI
The vulnerability resides in Android's telephony subsystem, specifically in CallIntentProcessor.java, which is responsible for processing and routing call intents through the Android telephony stack. The affected method fixInitiatingUserIfNecessary is designed to validate or correct the identity of the user initiating a call before processing it. A logic error in this method fails to correctly enforce privilege or identity checks, allowing the emergency call pathway to be triggered without appropriate authorization. Affected products are identified by CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* spanning Android 14, 15, 16, and 16-QPR2. No CWE is formally assigned, but the root cause class is consistent with CWE-840 (Business Logic Errors) or CWE-284 (Improper Access Control), as the flaw bypasses an intended gating check rather than corrupting memory or leaking data.
RemediationAI
The primary fix is to apply the Android Security Patch Level (SPL) from the June 2026 Android Security Bulletin, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact patched version number or build ID is not independently confirmed from the provided data - patch availability is confirmed per vendor advisory only. Device manufacturers (OEMs) must integrate and distribute this patch in their own firmware updates, so patch availability will vary by device and vendor. As a compensating control prior to patch deployment, organizations managing corporate Android fleets via Mobile Device Management (MDM) solutions can restrict or disable dialer application access for restricted-user profiles, reducing the attack surface on shared or kiosk devices. This mitigation does not address the root logic flaw and may impact legitimate emergency call access in some deployment scenarios.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33814
GHSA-7cq5-j958-39ff