Description
In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing permission check in Android’s NFC subsystem allows a malicious NFC tag to forge an NFC event. This spoofing can trigger privileged actions on the device without the attacker requiring additional execution capabilities or user interaction. The flaw enables a local attacker to elevate their privileges, potentially accessing or modifying system resources.

Affected Systems

Android devices whose NFC implementation contains the unchecked permission logic, covering any Android version that ships with the affected NFC code. All affected devices should be treated as vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 10 marks the vulnerability as critical. The EPSS score of less than 1% indicates that, while widespread exploitation is currently unlikely, the flaw remains a serious risk due to its local privilege escalation potential. It is not listed in the CISA KEV catalog, but user interaction is not required for exploitation – a malicious NFC tag can trigger the spoofed event automatically.

Generated by OpenCVE AI on June 17, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch that addresses the NFC permission flaw
  • Disable NFC functionality on devices when it is not needed to prevent accidental tag spoofing
  • Configure devices to allow NFC communication only after explicit user activation or following a trusted‑tag policy

Generated by OpenCVE AI on June 17, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T14:19:56.658Z

Reserved: 2025-10-15T15:42:14.901Z

Link: CVE-2026-0081

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T09:00:06Z

Weaknesses

No weakness.