Description
In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in multiple functions of btm_sec.cc allows an attacker to intercept SMS messages. The flaw can lead to remote disclosure of sensitive information without requiring elevated execution privileges. User interaction is required for exploitation, meaning the victim must grant or enable a feature that permits the attacker to read SMS data.

Affected Systems

The vulnerability affects Android devices provided by Google. Specific affected Android versions are not listed in the provided data, and no CPE strings are available.

Risk and Exploitability

The CVSS score is 4.3, indicating a low severity, and the EPSS score is below 1%, reflecting a very low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The attack likely stems from a local flaw that requires the user to interact with the system or accept a permission, so an attacker would need to trick the victim into enabling the interception path. Overall, the risk to information confidentiality is moderate but limited by the need for user involvement.

Generated by OpenCVE AI on June 17, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security update as soon as it becomes available.
  • Review the SMS permissions granted to installed applications and revoke any that are unnecessary for core functionality.
  • Enable Android’s built‑in SMS protection features or use a reputable third‑party SMS manager that limits access to message content.

Generated by OpenCVE AI on June 17, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T10:43:33.116Z

Reserved: 2025-05-22T18:11:40.406Z

Link: CVE-2025-48571

cve-icon Vulnrichment

Updated: 2026-06-17T10:43:24.836Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T07:30:04Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure