Description
In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Android Contacts Provider there is a missing permission check that allows an application to read the phone number and associated metadata of an incoming call. This flaw can result in local information disclosure to any app that can request contacts access. The vulnerability does not grant additional execution privileges and does not require user interaction, meaning the data can be retrieved purely by the presence of an incoming call.

Affected Systems

The affected product is the Android operating system, produced by Google. No specific versions are listed in the available data.

Risk and Exploitability

The EPSS score indicates a probability of exploitation below 1%, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, targeting a device that has an ongoing incoming call, and does not require user interaction. The CVSS score of 3.3 reflects a low severity risk.

Generated by OpenCVE AI on June 18, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Android security update from Google to patch the Contacts Provider permission check.
  • Restrict or revoke the CALL_PHONE and READ_CONTACTS permissions from applications that do not require access to call metadata.
  • If you manage devices centrally, enforce a device policy that blocks the Contacts Provider from being accessed by non‑trusted applications until the vulnerability is patched.

Generated by OpenCVE AI on June 18, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Contacts Provider Permission Check Missing Allows Unprivileged Call Information Disclosure

Thu, 18 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Title Contacts Provider Missing Permission Check Enables Local Call Data Disclosure
Weaknesses CWE-285

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Contacts Provider Missing Permission Check Enables Local Call Data Disclosure
Weaknesses CWE-285
CWE-862
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T13:35:01.894Z

Reserved: 2025-10-15T15:40:32.998Z

Link: CVE-2026-0057

cve-icon Vulnrichment

Updated: 2026-06-17T13:34:33.322Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:00:13Z

Weaknesses