Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local app on device (AV:L), no special conditions (AC:L), requires unprivileged app install so PR:L, no user interaction, full impact via privileged NFC action.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android's NFC subsystem allows an unprivileged local app to spoof NFC events because of a missing permission check, granting capabilities normally reserved for privileged components. No user interaction is required, and no public exploit has been identified at time of analysis, though the issue is tracked in the Android Security Bulletin for Android 17. Despite the CVSS 4.0 vector encoding AV:N, the description clearly describes a local Android attack surface.
Technical ContextAI
The flaw lies in Android's NFC stack, the framework component that brokers Near Field Communication intents, tag dispatch, and host card emulation between system services and apps. Android enforces access to NFC events through permission-gated callbacks (typically guarded by signature-level or NFC-related permissions); when a code path omits the corresponding permission check, any installed app can deliver or receive NFC events as if it held those rights. No CWE is assigned in the input, but the behavior is the classic Missing Authorization / Missing Permission Check pattern (CWE-862-class) within an Android system service. The CPE cpe:2.3:a:google:android:*:* indicates the issue is in the Android platform itself rather than a single OEM build, so any device running an affected AOSP-derived release is in scope until the vendor patch is applied.
RemediationAI
Apply the Android security patch level referenced in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/android-17 - Patch available per vendor advisory; an exact fixed build string was not included in the input data, so administrators should match their device's security patch level to the bulletin's listed SPL. For fleets, push the updated SPL via MDM and confirm devices report the patched security_patch property; for OEM-customized builds, wait for the vendor's matching monthly update. Compensating controls while patching: restrict sideloading and enforce Play Protect / app vetting to reduce the chance of a malicious local app reaching the device (trade-off: friction for users installing internal apps), and disable NFC on devices that do not require it via MDM policy (trade-off: breaks tap-to-pay, transit cards, and tag-based workflows). No network-level mitigation applies because exploitation is on-device.
Same weakness CWE-862 – Missing Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37568