Impact
An SQL injection flaw exists in the Android Contacts Provider that allows a local attacker, based on the description, to construct malicious input that is used in an unparameterized SQL query. The flaw is identified as CWE‑89 and permits the extraction of the entire contacts database. The compromise is limited to local information disclosure, exposing personal contact data and undermining user confidentiality.
Affected Systems
Android devices that include the Contacts Provider component are affected. Because the list of specific Android releases is not provided, any device running a version of Android that contains this provider is potentially impacted until a patch is applied.
Risk and Exploitability
The CVSS score of 10 signals a critical severity, while the EPSS score of less than 1% indicates a low current exploitation likelihood. The vulnerability is local and does not require user interaction or elevated privileges, meaning that a malicious application with contact access could exploit it on the device. The flaw is not listed in CISA’s KEV catalog, suggesting no widespread exploitation activity has been documented.
OpenCVE Enrichment