Description
In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Android Contacts Provider there is a missing permission check that allows an application to read the phone number and associated metadata of an incoming call. This flaw can result in local information disclosure to any app that can request contacts access. The vulnerability does not grant additional execution privileges and does not require user interaction, meaning the data can be retrieved purely by the presence of an incoming call.

Affected Systems

The affected product is the Android operating system, produced by Google. No specific versions are listed in the available data.

Risk and Exploitability

The EPSS score indicates a probability of exploitation below 1%, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, targeting a device that has an ongoing incoming call, and does not require user interaction. The impact is limited to information disclosure; however, if an attacker can intercept sensitive call details this could assist other attack vectors.

Generated by OpenCVE AI on June 17, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Android security update once Google releases a patch for this issue; check the Android Security Bulletin for patch details.
  • Restrict or revoke the CALL_PHONE and READ_CONTACTS permissions from applications that do not require access to call metadata.
  • If you manage devices centrally, enforce a device policy that blocks the Contacts Provider from being accessed by non‑trusted applications until the vulnerability is patched.

Generated by OpenCVE AI on June 17, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T13:35:01.894Z

Reserved: 2025-10-15T15:40:32.998Z

Link: CVE-2026-0057

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T07:30:04Z

Weaknesses

No weakness.