Description
In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the NfcDispatcher.java of the Android operating system, where an insecure default value allows tryStartActivity to automatically assign a special app access permission. This flaw permits a local attacker to elevate privileges without requiring any additional execution rights or user interaction. The consequence is that a malicious application or user can gain privileged access to system resources by abusing the NFC service. The weakness corresponds to incorrect default permissions (CWE‑276).

Affected Systems

Android devices that contain the NFC dispatcher component with the insecure default setting are vulnerable; the CVE payload does not specify a particular Android version, so affected releases cannot be identified without consulting the referenced security bulletin.

Risk and Exploitability

The CVSS score of 10 indicates maximum severity. The EPSS score of less than 1% shows a very low, but not zero, current exploitation probability. The flaw is not yet listed in the CISA KEV catalog. Exploitation requires only local access to the device; no network or user interaction is needed, making it potentially easier for an insider or an attacker with physical or local device access to exploit. The absence of user prompts lowers the detection risk. Consequently, the risk remains high for any device that is not patched or hardened against NFC-based privilege escalation.

Generated by OpenCVE AI on June 17, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security patch that addresses the NFC dispatcher permission assignment flaw.
  • Disable or restrict NFC functionality on devices that do not require it, either through device settings or management profiles.
  • Revoke or limit special app access permissions that were automatically granted to applications via the NFC service.
  • Monitor system logs for abnormal changes in permission assignments and report any suspicious activity to the device administrator.
  • Contact Google for detailed firmware updates for legacy Android versions that cannot receive the patch.

Generated by OpenCVE AI on June 17, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T14:09:25.710Z

Reserved: 2025-10-15T15:42:15.300Z

Link: CVE-2026-0082

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T08:30:04Z

Weaknesses

No weakness.