CVE-2026-28576 | In Contacts Provider, there is a possible way to access the … | CVSS 10.0 CRITICAL

Description

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Metadata

CVE ID: CVE-2026-28576
State: PUBLISHED
Assigner: google_android
Reserved: 2026-03-02 19:10 UTC
Published: 2026-06-17 07:19 UTC
Last updated: 2026-06-17 10:41 UTC
Primary CWE: CWE-89
CWE-89 Improper Neutralization of Special Elements used in a…
Vendor / Product: Android / Android
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Android	Android	—	17

Weakness (CWE)

CWE	Source	Description
—	cna	Information disclosure
CWE-89	adp	CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (1)

https://source.android.com/docs/security/bulletin/android-17