Skip to main content

Android CVE-2026-28587

| EUVDEUVD-2026-37574 CRITICAL
Missing Authorization (CWE-862)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
vuln.today AI
6.2 MEDIUM

Local app-to-provider attack with no permissions and no UI; only SMS/MMS confidentiality is impacted, so C:H with I:N/A:N and AV:L, not AV:N.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:22 vuln.today
CVE Published
Jun 17, 2026 - 07:21 cve.org
CRITICAL 10.0

DescriptionCVE.org

In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local information disclosure in Android's MmsSmsProvider component allows installed applications to read sensitive SMS/MMS data without holding the required permissions. The flaw stems from a missing permission check inside MmsSmsProvider.java, enabling any local app to query the content provider and exfiltrate message data without user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Publish benign-looking Android app
Delivery
Victim installs from store or sideload
Exploit
App queries MmsSmsProvider without SMS permission
Execution
Missing permission check returns message rows
Impact
Exfiltrate SMS/OTP data over network

Vulnerability AssessmentAI

Exploitation Attacker must have code execution on the device as an installed Android application (any normal-tier app with no SMS, MMS, or other dangerous permissions granted) targeting a device running an Android version prior to the fix shipped in the Android 17 bulletin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported CVSS 4.0 vector (AV:N, score 10.0, full C/I/A high on both vulnerable and subsequent systems) conflicts sharply with the CVE description, which explicitly states 'local information disclosure with no additional execution privileges needed' - a local app-to-app boundary crossing, not a remote network attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a benign-looking utility app on a sideload channel or third-party store; once installed, the app - holding no SMS-related permissions - issues a crafted query to the MmsSmsProvider content URI and receives back SMS/MMS rows it should not see. The attacker uses this to harvest banking OTPs, password-reset codes, and private conversations and exfiltrates them over the network. …
Remediation Patch available per vendor advisory: apply the Android 17 security patch level documented at https://source.android.com/docs/security/bulletin/android-17 as soon as the OEM distributes it for the affected device. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Android devices in the organization and identify those running versions prior to Android 17; document which devices process sensitive SMS data (2FA codes, banking alerts, health communications). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy