The flaw is found in Android’s MediaProvider implementation where an application can request read or write access to files that do not actually exist. This logic error does not require any special execution privileges or user interaction, allowing a local attacker to elevate privileges and gain read/write access to unauthorized file paths. The weakness is a form of buffer underflow or out-of-bounds access delineated by CWE-125 and a memory corruption vulnerability described by CWE-787. The potential impact includes unauthorized file manipulation, data compromise, and the ability for a malicious local app to perform operations beyond its intended scope.

Android devices running versions 14.0 and 15.0, as well as Android 16.0 including the official release and the QPR2 beta series (beta 1, beta 2, and beta 3). These versions are identified through vendor/product listings that match the impacted Android releases.

The vulnerability scores a CVSS of 8.4, indicating high severity. EPSS is less than 1%, showing a very low current exploit probability, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The CVE description indicates that exploitation does not require user interaction; therefore, it can be triggered by a local attacker who can install or run a malicious application under the device’s current user context. This inference is based on the absence of additional prerequisites in the description. Organizations should treat this with high urgency, particularly when devices are exposed to untrusted applications.