Description
In isRedactionNeededForOpenViaContentResolver of MediaProvider.java, there is a possible way to reveal the location of media due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A missing permission check in the MediaProvider component of Android allows an application to query the location of media files via the content resolver. Because no authorization is enforced, local attackers can disclose the file paths of media stored on the device without requiring additional execution privileges or user interaction.

Affected Systems

The vulnerability affects Google Android releases 14, 15, and 16, including the standard 16.0 release and the pre‑release builds qpr2 beta 1, beta 2, and beta 3.

Risk and Exploitability

The CVSS score of 4 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. Although the vulnerability is not listed in the CISA KEV catalog, it can be exploited by a local privilege universe, such as any process running on the device, to glean media file locations. No additional privileges or user interaction are required, so an attacker could obtain location information by simply invoking the affected content resolver API from a malicious application or script running on the device.

Generated by OpenCVE AI on April 16, 2026 at 14:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to the latest Android security patch issued in March 2026 that addresses the missing permission check in MediaProvider.
  • Restrict media provider access by configuring the system to allow the content resolver only for apps with explicit media permissions or by using package-level restrictions.
  • Review installed applications and remove any that unnecessarily query the MediaProvider without a clear need, thereby reducing the attack surface for this information disclosure.

Generated by OpenCVE AI on April 16, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure in Android MediaProvider Due to Missing Permission Check

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:* cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 03 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:*
Vendors & Products Google
Google android

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In isRedactionNeededForOpenViaContentResolver of MediaProvider.java, there is a possible way to reveal the location of media due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:51:17.337Z

Reserved: 2025-10-15T15:39:02.278Z

Link: CVE-2026-0024

cve-icon Vulnrichment

Updated: 2026-03-03T14:58:09.056Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:30.567

Modified: 2026-03-06T04:16:04.917

Link: CVE-2026-0024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses