The vulnerability resides in the Nfc::eventCallback() function of Android's NFC stack, where a race condition can cause a use-after-free scenario. Exploitation allows a locally running user – even without additional privileges – to escape the confines of the standard security sandbox and gain elevated privileges on the device. This flaw permits malicious code to run with the system account, potentially reading or modifying sensitive data, tampering with system services, or installing persistent malware. The underlying weakness is a classic use-after-free bug, a critical flaw that jeopardizes system integrity and confidentiality.

The affected vendor is Google; the product is Android. The vulnerability is reported for the Android OS, but no specific versions are listed; it is a general Android issue. Administrators should verify which Android releases incorporate the fix, such as Android 17, as indicated in the security bulletin at source.android.com/docs/security/bulletin/android-17. This vulnerability may affect any device running that or earlier firmware that has not yet applied the patch.

The CVSS score of 10 indicates a critical impact. The EPSS score of less than 1 percent suggests that the probability of exploitation is currently very low, but the flaw remains a potentially severe local attack vector on Android devices. Because no user interaction is required and no additional execution privileges are needed, a local attacker can trigger the race condition by interacting with the NFC subsystem, for example, by rapidly sending multiple NFC commands. The risk remains high until the patch is applied, however the low exploitation likelihood may reduce the urgency for immediate remediation. Nonetheless, the critical severity warrants swift action.