CVE-2026-0082 | In tryStartActivity of NfcDispatcher.java, there is a possib… | CVSS 10.0 CRITICAL

Description

In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Metadata

CVE ID: CVE-2026-0082
State: PUBLISHED
Assigner: google_android
Reserved: 2025-10-15 15:42 UTC
Published: 2026-06-17 07:13 UTC
Last updated: 2026-06-17 14:09 UTC
Primary CWE: CWE-453
CWE-453 Insecure Default Variable Initialization
Vendor / Product: Google / Android
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Google	Android	—	17

Weakness (CWE)

CWE	Source	Description
—	cna	Elevation of privilege
CWE-453	adp	CWE-453 Insecure Default Variable Initialization

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (1)

https://source.android.com/docs/security/bulletin/android-17