Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Description states local information disclosure exploitable by an app without extra privileges, so AV:L and PR:L (installed-app context); only confidentiality is impacted, hence I:N/A:N.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
2DescriptionCVE.org
In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.
Technical ContextAI
The Contacts Provider is the system ContentProvider (com.android.providers.contacts) that mediates structured access to contacts, call log, and related personal data through SQLite-backed URIs. A SQL injection in this provider means user-controlled input is concatenated into a query (or selection/selectionArgs are mishandled) instead of being parameterized, allowing an unprivileged caller to break out of the intended query scope and read rows it would not normally be authorized to see. The affected CPE is cpe:2.3:a:android:android:*:*:*:*:*:*:*:*, indicating an Android platform-level issue rather than an OEM-specific app, and although the input lists CWE as N/A the tags and description align with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
RemediationAI
Apply the Android security patch level published in the Android 17 bulletin (https://source.android.com/docs/security/bulletin/android-17) - devices reporting that SPL or later include the Contacts Provider fix; this is the primary and recommended remediation. For devices that cannot be updated immediately, compensating controls include avoiding installation of untrusted third-party apps, using a work profile or secondary user to isolate sensitive contacts, and on managed fleets restricting sideloading via MDM policy (UNKNOWN_SOURCES disallowed) - note these controls reduce but do not eliminate exposure because any installed app, even from Play, could theoretically invoke the vulnerable provider. No vendor-supplied workaround for the provider itself is documented, so prioritize OTA rollout via the OEM patch channel.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37573