Skip to main content

Android Contacts Provider EUVDEUVD-2026-37573

| CVE-2026-28576 CRITICAL
SQL Injection (CWE-89)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
vuln.today AI
5.5 MEDIUM

Description states local information disclosure exploitable by an app without extra privileges, so AV:L and PR:L (installed-app context); only confidentiality is impacted, hence I:N/A:N.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:22 vuln.today
CVE Published
Jun 17, 2026 - 07:19 cve.org
CRITICAL 10.0

DescriptionCVE.org

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.

Technical ContextAI

The Contacts Provider is the system ContentProvider (com.android.providers.contacts) that mediates structured access to contacts, call log, and related personal data through SQLite-backed URIs. A SQL injection in this provider means user-controlled input is concatenated into a query (or selection/selectionArgs are mishandled) instead of being parameterized, allowing an unprivileged caller to break out of the intended query scope and read rows it would not normally be authorized to see. The affected CPE is cpe:2.3:a:android:android:*:*:*:*:*:*:*:*, indicating an Android platform-level issue rather than an OEM-specific app, and although the input lists CWE as N/A the tags and description align with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

RemediationAI

Apply the Android security patch level published in the Android 17 bulletin (https://source.android.com/docs/security/bulletin/android-17) - devices reporting that SPL or later include the Contacts Provider fix; this is the primary and recommended remediation. For devices that cannot be updated immediately, compensating controls include avoiding installation of untrusted third-party apps, using a work profile or secondary user to isolate sensitive contacts, and on managed fleets restricting sideloading via MDM policy (UNKNOWN_SOURCES disallowed) - note these controls reduce but do not eliminate exposure because any installed app, even from Play, could theoretically invoke the vulnerable provider. No vendor-supplied workaround for the provider itself is documented, so prioritize OTA rollout via the OEM patch channel.

Share

EUVD-2026-37573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy