Skip to main content

Red Magic 11 Pro CVE-2026-40002

| EUVDEUVD-2026-23388 HIGH
Improper Privilege Management (CWE-269)
2026-04-17 zte
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.7 HIGH

Local malicious app (AV:L, PR:L) abuses unauthenticated service crossing the sandbox boundary (S:C); primary impact is partition writes and property changes (I:H/A:H) with limited data disclosure (C:L).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 08, 2026 - 03:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 03:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 03:37 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 03:37 NVD
MEDIUM HIGH
CVSS changed
Jul 08, 2026 - 03:37 NVD
5.0 (MEDIUM) 8.8 (HIGH)
Analysis Generated
Apr 17, 2026 - 08:22 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 08:15 euvd
EUVD-2026-23388
Analysis Generated
Apr 17, 2026 - 08:15 vuln.today
CVE Published
Apr 17, 2026 - 07:40 nvd
MEDIUM 5.0

DescriptionNVD

Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific partitions and set writable system properties.

AnalysisAI

Local privilege escalation in the Red Magic 11 Pro (NX809J) gaming smartphone through firmware V1.0.0B14MR1 allows a non-privileged installed application to invoke a sensitive service interface that fails to validate its callers, letting the app write files to specific device partitions and set writable system properties. Reported by ZTE/Nubia through their own support bulletin, the issue is rated CVSS 8.8 with a scope change (S:C) reflecting the crossing of the app-sandbox privilege boundary into system context. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and CISA SSVC records exploitation status as none.

Technical ContextAI

The affected component is an Android system service exposed by ZTE/Nubia's Red Magic firmware (CPE cpe:2.3:a:zte:red_magic_11_pro_(nx809j)) that offers a service interface (likely a bound Binder/AIDL service or exported provider) intended for privileged operations such as partition writes and system-property mutation. The root cause is CWE-269 (Improper Privilege Management): the service does not authenticate or authorize the calling application, so any third-party app running with ordinary, non-privileged Android permissions can reach operations that should be restricted to system/OEM-signed callers. On Android, writing to protected partitions and setting persistent/system-scoped properties normally requires system UID or SELinux domains far above an untrusted app, so the missing caller validation collapses that boundary.

RemediationAI

Update the Red Magic 11 Pro (NX809J) to the firmware version that supersedes V1.0.0B14MR1 as directed by ZTE's security bulletin (https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8224335890517684583); no exact fixed build number is stated in the available data, so confirm the patched version directly with the vendor advisory before deploying. As compensating controls until patched, restrict app installation to trusted sources only (disable sideloading/unknown-sources installs, which reduces convenience for power users), avoid installing untrusted or low-reputation apps since exploitation requires attacker-controlled code on the device, and enterprise/MDM fleets should gate this model or enforce that no third-party APKs are permitted. Because the flaw is reachable by any local app, the only complete fix is the firmware update; the sideloading restrictions merely shrink the pool of potential malicious callers rather than closing the interface.

Share

CVE-2026-40002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy