Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Local app-to-provider attack with no permissions and no UI; only SMS/MMS confidentiality is impacted, so C:H with I:N/A:N and AV:L, not AV:N.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
2DescriptionCVE.org
In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local information disclosure in Android's MmsSmsProvider component allows installed applications to read sensitive SMS/MMS data without holding the required permissions. The flaw stems from a missing permission check inside MmsSmsProvider.java, enabling any local app to query the content provider and exfiltrate message data without user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have code execution on the device as an installed Android application (any normal-tier app with no SMS, MMS, or other dangerous permissions granted) targeting a device running an Android version prior to the fix shipped in the Android 17 bulletin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reported CVSS 4.0 vector (AV:N, score 10.0, full C/I/A high on both vulnerable and subsequent systems) conflicts sharply with the CVE description, which explicitly states 'local information disclosure with no additional execution privileges needed' - a local app-to-app boundary crossing, not a remote network attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a benign-looking utility app on a sideload channel or third-party store; once installed, the app - holding no SMS-related permissions - issues a crafted query to the MmsSmsProvider content URI and receives back SMS/MMS rows it should not see. The attacker uses this to harvest banking OTPs, password-reset codes, and private conversations and exfiltrates them over the network. … |
| Remediation | Patch available per vendor advisory: apply the Android 17 security patch level documented at https://source.android.com/docs/security/bulletin/android-17 as soon as the OEM distributes it for the affected device. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Android devices in the organization and identify those running versions prior to Android 17; document which devices process sensitive SMS data (2FA codes, banking alerts, health communications). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37574