Description
Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.
Published: 2026-04-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local privilege escalation to system-level code execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw in the AssistFeedbackService on TECNO Pova7 Pro 5G allows a local application to run arbitrary code with system privileges. This vulnerability can be leveraged to compromise the device, install malware, exfiltrate data, and modify system settings without user awareness.

Affected Systems

The flaw is present only on TECNO Mobile’s Pova7 Pro 5G smartphone. No specific firmware or build identifiers are disclosed, so all units of this model may be affected unless a customer has upgraded to a patched firmware version.

Risk and Exploitability

The CVSS score of 7.8 indicates a significant impact, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, meaning no known widespread exploitation is recorded. The attack vector is inferred to be local: a malicious application installed on the device can trigger the service and execute code as system.

Generated by OpenCVE AI on April 2, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by TECNO Mobile for the Pova7 Pro 5G.
  • If an update is not yet available, remove any recently installed applications that could exploit the AssistFeedbackService.
  • Restrict app installation to trusted sources and disable unknown-source installations until a patch is applied.
  • Regularly review device logs for signs of unexpected privilege‑escalating activity.

Generated by OpenCVE AI on April 2, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tecno Mobile
Tecno Mobile tecno Pova7 Pro 5g
Vendors & Products Tecno Mobile
Tecno Mobile tecno Pova7 Pro 5g

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.
Title Code Execution in AssistFeedbackService on TECNO Pova7 Pro 5G
Weaknesses CWE-88
References

Subscriptions

Tecno Mobile Tecno Pova7 Pro 5g
cve-icon MITRE

Status: PUBLISHED

Assigner: TECNOMobile

Published:

Updated: 2026-04-02T13:35:18.680Z

Reserved: 2026-01-06T01:33:04.882Z

Link: CVE-2026-0634

cve-icon Vulnrichment

Updated: 2026-04-02T13:34:54.989Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:20.397

Modified: 2026-04-02T14:16:24.817

Link: CVE-2026-0634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:44Z

Weaknesses