Description
In setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Apply Patch
AI Analysis

Impact

In Android’s notification framework, the method responsible for hiding sensitive data in expandable notifications contains a logic flaw that can leak a contact name. This defect allows an attacker to retrieve the name of a contact displayed in a notification without needing any privileges beyond those granted to ordinary applications or the user. The vulnerability does not permit further exploitation or privilege escalation; it merely exposes personal information that could be sensitive to the user.

Affected Systems

The flaw affects Google Android releases from version 14.0 onward, including 15.0 and 16.0 and any subsequent builds that include the unpatched notification code.

Risk and Exploitability

The CVSS score of 6.2 indicates a moderate impact. The exploit probability is very low, with an EPSS score of less than 1%, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is local; the victim must have the device to view the notification. Because no user interaction is required beyond normal notification viewing, any authorized user could inadvertently expose contact names.

Generated by OpenCVE AI on April 16, 2026 at 14:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Android to the latest version that includes the cumulative update addressing this notification code defect
  • If an immediate update is not possible, disable or restrict the display of sensitive contact information in notifications through device settings or by using a third‑party notification manager that masks contact names
  • Review Google’s security bulletin for any additional guidance or temporary workarounds and apply them as soon as they become available

Generated by OpenCVE AI on April 16, 2026 at 14:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-693
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
Vendors & Products Google
Google android
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:48:17.223Z

Reserved: 2025-10-15T15:38:42.392Z

Link: CVE-2026-0012

cve-icon Vulnrichment

Updated: 2026-03-03T15:46:59.847Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:29.703

Modified: 2026-03-06T04:16:03.520

Link: CVE-2026-0012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses