Description
In Nfc::eventCallback() of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Nfc::eventCallback() function of Android's NFC stack, where a race condition can cause a use‑after‑free scenario. Exploitation allows a locally running user – even without additional privileges – to escape the confines of the standard security sandbox and gain elevated privileges on the device. This flaw permits malicious code to run with the system account, potentially reading or modifying sensitive data, tampering with system services, or installing persistent malware. The underlying weakness is a classic use‑after‑free bug triggered by a race condition, a critical flaw that jeopardizes system integrity and confidentiality.

Affected Systems

The affected vendor is Google; the product is Android. The vulnerability is reported for the Android OS, but no specific versions are listed; it is a general Android issue. Administrators should verify which Android releases incorporate the fix, such as Android 17, as indicated in the security bulletin at source.android.com/docs/security/bulletin/android-17. This vulnerability may affect any device running that or earlier firmware that has not yet applied the patch.

Risk and Exploitability

The CVSS score of 10 indicates a critical impact. The EPSS score of less than 1 percent suggests that the probability of exploitation is currently very low, but the flaw remains a potentially severe local attack vector on Android devices. Because no user interaction is required and no additional execution privileges are needed, a local attacker can trigger the race condition by interacting with the NFC subsystem, for example, by rapidly sending multiple NFC commands. The risk remains high until the patch is applied, however the low exploitation likelihood may reduce the urgency for immediate remediation. Nonetheless, the critical severity warrants swift action.

Generated by OpenCVE AI on June 18, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android OS update that fixes the NFC use‑after‑free bug; this patch is listed in the Android 17 security bulletin.
  • If an update is not yet available for a device, disable the NFC functionality to prevent exploitation until the fix is deployed.
  • Monitor system logs for anomalous NFC activity and investigate any unusual events originating from the NFC subsystem.

Generated by OpenCVE AI on June 18, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Android NFC Use-After-Free Enables Local Privilege Escalation

Thu, 18 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Android NFC Component Enables Local Privilege Escalation
Weaknesses CWE-416

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Android NFC Component Enables Local Privilege Escalation
Weaknesses CWE-362
CWE-416
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Nfc::eventCallback() of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-18T03:56:02.613Z

Reserved: 2025-10-15T15:42:16.661Z

Link: CVE-2026-0083

cve-icon Vulnrichment

Updated: 2026-06-17T14:10:35.349Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')