Skip to main content

Google EUVDEUVD-2026-18140

| CVE-2026-0634 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-04-02 TECNOMobile GHSA-pq33-qwwq-ggx5
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 09:00 euvd
EUVD-2026-18140
Analysis Generated
Apr 02, 2026 - 09:00 vuln.today
CVE Published
Apr 02, 2026 - 08:48 nvd
HIGH 7.8

DescriptionCVE.org

Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.

AnalysisAI

Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

AssistFeedbackService is a system service in TECNO Pova7 Pro 5G firmware that processes feedback from applications. The vulnerability stems from CWE-88 (improper neutralization of argument delimiters in a command), indicating that user-controlled input from local applications is passed unsanitized to shell command execution functions. This allows third-party apps installed on the device to inject shell metacharacters and arbitrary commands that execute in the system context. The CPE identifier (cpe:2.3:a:tecno_mobile:tecno_pova7_pro_5g) indicates this is a firmware/system application vulnerability affecting the specific TECNO Pova7 Pro 5G model line.

RemediationAI

Users should immediately check the TECNO Mobile security updates portal at https://security.tecno.com/SRC/securityUpdates for available firmware patches addressing this AssistFeedbackService vulnerability. Apply the latest firmware version when available through Settings > System > System Update on affected TECNO Pova7 Pro 5G devices. As an interim mitigation pending patch deployment, restrict installation of apps from untrusted sources (enable "Install from Unknown Sources" toggle off) and regularly review installed applications for suspicious behavior or unexpected permissions requests. Avoid sideloading APKs from unofficial channels until a patch is released.

Share

EUVD-2026-18140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy