Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
SQL injection across multiple contacts database functions in Google Android enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated privileges or user interaction. The flaw allows an unprivileged local process or malicious application to inject arbitrary SQL into contacts database queries, resulting in unauthorized read, write, and partial denial-of-service impact against contact data. No public exploit has been identified at time of analysis, and EPSS probability stands at 0.01%, consistent with a local-only attack surface, though the absence of any privilege prerequisite (PR:N) lowers the bar for any attacker already on the device.
Technical ContextAI
Android's contacts provider stores data in a SQLite database accessed through a content provider layer. CWE-89 (SQL Injection) indicates that one or more of the functions responsible for querying or manipulating this database fail to properly parameterize or sanitize caller-supplied input before constructing SQL statements. On Android, content providers can be accessible to third-party applications depending on export permissions and calling app grants, meaning a malicious app with no declared permissions could potentially invoke these vulnerable functions. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covers the full Android application platform across all architectures, and the EUVD confirms exposure across four distinct release lines: Android 14, Android 15, Android 16, and Android 16-qpr2.
RemediationAI
Apply the June 2026 Android Security Bulletin patch, referenced at https://source.android.com/docs/security/bulletin/2026/2026-06-01; this is the primary fix. Exact patched build versions are not independently confirmed from the available input data - consult the bulletin directly and verify OEM-specific patch rollout timelines, as Android updates are distributed through device manufacturers and carriers who may lag behind the bulletin date. As a compensating control while awaiting the patch, organizations managing enterprise Android deployments via MDM can restrict installation of untrusted or sideloaded applications, reducing the local attacker footprint, though this does not eliminate risk from malicious apps distributed through legitimate channels. Users on affected versions (Android 14, 15, 16, 16-qpr2) should prioritize applying monthly security updates as they become available from their device OEM.
Same weakness CWE-89 – SQL Injection
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33791
GHSA-95qw-g548-3232