Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack via an installed app (AV:L, PR:L, UI:N); logic error reliably triggered (AC:L); integrity of carrier-restriction state is broken (I:H) with no confidentiality or availability impact and no scope change.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In setAllowedCarriers of PhoneInterfaceManager.java, there is a possible way to disable carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android's telephony subsystem (PhoneInterfaceManager) allows attackers to disable carrier restrictions without any user interaction or additional execution privileges. The flaw stems from a logic error in the setAllowedCarriers handler and is addressed in the Android Security Bulletin for Android 17. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be able to run unprivileged code locally on the Android device - i.e., have a locally installed app (any app, including one with no special permissions) that can reach the PhoneInterfaceManager Binder interface and call setAllowedCarriers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reported CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with H impact on both vulnerable and subsequent systems) and the 10.0 score are inconsistent with the description, which explicitly says 'local escalation of privilege' - a local attacker on an Android device, not a network-reachable attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or trojanized app installed on an Android device (e.g., via sideloading or a Play Store abuse) invokes the telephony manager's setAllowedCarriers path and exploits the logic error to clear the carrier-restriction list, effectively unlocking a carrier-locked or subsidized device without root or user interaction. The unlocked device can then be resold or moved to another carrier, defeating subsidy-lock business controls; no public POC has been referenced in the available data. |
| Remediation | Patch available per vendor advisory: apply the Android Security Bulletin for Android 17 (https://source.android.com/docs/security/bulletin/android-17) by updating to a security patch level that includes the fix to PhoneInterfaceManager.setAllowedCarriers. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all Android 17 devices in deployment; document carrier restriction configurations and baseline access controls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37575