Description
In applySimpleFieldMaxSize of DataRowHandler.java, there is a possible way to insert a large contact name due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the applySimpleFieldMaxSize method of DataRowHandler.java, where an attacker can insert a contact name that exceeds normal limits because the input is not properly validated. This abuse may cause the device to consume excessive memory, trigger application crashes, or otherwise make the contacts subsystem unavailable, resulting in a local denial of service. The weakness is a form of improper input validation that enables uncontrolled resource consumption, aligning with CWE-20.

Affected Systems

Android devices supplied or updated by Google that include the vulnerable DataRowHandler component. The public advisory does not list specific version numbers, but any device running the affected component may be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. EPSS data is not available, but the exploit does not require special privileges or user interaction beyond adding a contact. The attack vector is local; therefore, the network security risk is low. However, the impact on device availability can be significant if large contacts are created. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation to date.

Generated by OpenCVE AI on June 2, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security patch that addresses the DataRowHandler input validation flaw, as referenced in the June 2026 security bulletin.
  • Avoid creating contacts with excessively long names; if large names already exist, remove or shorten them to reduce memory pressure.
  • Restart the device after making these changes to release any allocated resources and monitor the contacts application for abnormal behavior.

Generated by OpenCVE AI on June 2, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Large Contact Name Allows Local Denial of Service in Android
Weaknesses CWE-400

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Large Contact Name Allows Local Denial of Service in Android
First Time appeared Google
Google android
Weaknesses CWE-400
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In applySimpleFieldMaxSize of DataRowHandler.java, there is a possible way to insert a large contact name due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T23:18:20.213Z

Reserved: 2025-10-15T15:42:41.638Z

Link: CVE-2026-0085

cve-icon Vulnrichment

Updated: 2026-06-01T23:18:08.036Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:22.230

Modified: 2026-06-02T00:16:36.143

Link: CVE-2026-0085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:30:26Z

Weaknesses