Impact
The vulnerability is a logic error in the PostWipeData function defined in recovery_ui.cpp whereby data intended to be erased during a factory reset remains accessible. This flaw permits local information disclosure without granting extra privileges or requiring the user to take any action. Because the defect affects only information that resides on the device, the impact is confined to confidentiality at the local level.
Affected Systems
Affected systems include devices running Google Android, particularly those using the recovery_ui component at the time of the factory reset. The the reference points to Pixel devices in Google’s Android security bulletin. No version range is stated, so any device that incorporates the vulnerable code segment may be at risk.
Risk and Exploitability
The CVSS score of 3.3 indicates a low severity rating, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog, meaning no known large‑scale exploits have been reported. Nevertheless, because the attack does not require user interaction or elevated privileges, any compromised device could leak private data during a factory reset.
OpenCVE Enrichment