Skip to main content
CVE Vulnerability Database

CVE-2026-0057: Android Information Disclosure Vulnerability

CVE-2026-0057 is an information disclosure vulnerability in Google Android's Contacts Provider that exposes incoming call phone numbers and metadata. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-0057 Overview

CVE-2026-0057 affects the Contacts Provider component in Google Android 17.0. The vulnerability stems from a missing permission check that allows a local application to access an incoming call's phone number and associated metadata. Exploitation requires no additional execution privileges and no user interaction is needed to trigger the flaw. The issue is classified under [CWE-862] Missing Authorization. Successful exploitation results in local information disclosure of call-related data that should be restricted to applications holding the appropriate permissions.

Critical Impact

A local application without call-related permissions can read incoming call phone numbers and metadata from the Contacts Provider, exposing sensitive communication data.

Affected Products

  • Google Android 17.0
  • Devices running the Contacts Provider component shipped with Android 17.0
  • Android distributions derived from the affected AOSP release

Discovery Timeline

  • 2026-06-17 - CVE-2026-0057 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • Patch information published in the Android Security Bulletin

Technical Details for CVE-2026-0057

Vulnerability Analysis

The Contacts Provider is the Android content provider responsible for storing and exposing contacts, call log, and related metadata. Applications query this provider through standard ContentResolver interfaces. Access to call data is normally gated by permissions such as READ_CALL_LOG and READ_PHONE_STATE.

In the affected Android 17.0 release, a code path within the Contacts Provider returns incoming call phone numbers and associated metadata without verifying that the calling application holds the required permission. Any locally installed application can issue a query and receive call data it is not authorized to read.

The weakness is categorized as [CWE-862] Missing Authorization. The flaw does not enable code execution or privilege escalation. Impact is limited to disclosure of call-related information. According to the NVD entry, no exploit is publicly available, the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, and the EPSS probability is 0.08%.

Root Cause

The root cause is an absent permission enforcement step in a Contacts Provider handler that surfaces incoming call data. The provider exposes the data through its content URI interface without invoking the expected checkCallingPermission or equivalent enforcement before returning rows. Applications without call log or phone permissions therefore receive data intended only for authorized callers.

Attack Vector

Exploitation requires only that an unprivileged application be installed on the device. The attacker application queries the affected Contacts Provider interface during or after an incoming call and retrieves the caller phone number and metadata. No user prompt, accessibility service, or runtime permission grant is required. The attack vector is local and the attack complexity is low. The malicious application can run silently in the background and collect call data over time.

For technical specifics, refer to the Android Security Bulletin.

Detection Methods for CVE-2026-0057

Indicators of Compromise

  • Installed applications that query the Contacts Provider call data URIs without declaring READ_CALL_LOG or READ_PHONE_STATE in their manifest
  • Background processes accessing Contacts Provider content URIs concurrent with incoming call events
  • Unexpected network exfiltration of phone number strings or call metadata shortly after call events

Detection Strategies

  • Audit installed applications on Android 17.0 devices and review declared permissions against the providers they query at runtime
  • Inspect application manifests and runtime behavior using mobile application analysis tooling to flag undeclared access to call data
  • Monitor Android system logs for Contacts Provider queries originating from applications without corresponding call permissions

Monitoring Recommendations

  • Enable enterprise mobility management telemetry to track applications installed on Android 17.0 endpoints and their permission declarations
  • Forward mobile device logs to a centralized log platform and alert on anomalous Contacts Provider access patterns
  • Track the patch level reported by managed devices and flag any device still reporting the pre-fix security patch level

How to Mitigate CVE-2026-0057

Immediate Actions Required

  • Apply the Android security patch level that addresses CVE-2026-0057 as published in the Android Security Bulletin
  • Inventory Android 17.0 devices in the environment and prioritize patch deployment for devices that handle sensitive communications
  • Restrict installation of untrusted applications through enterprise mobile device management policy until patches are deployed

Patch Information

Google has addressed the issue in the Android security update referenced by the Android Security Bulletin. Device manufacturers ship the corresponding security patch level through their standard update channels. Confirm that managed devices report the security patch level that includes the Contacts Provider fix.

Workarounds

  • Limit application installations to vetted sources such as managed Google Play storefronts until the patch is applied
  • Use mobile threat defense policies to block applications that request or attempt to access call-related content providers without justification
  • Apply work profile separation so that sensitive call activity occurs on devices or profiles where only trusted applications are installed
bash
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch

# List applications that declare call log or phone permissions
adb shell pm list packages -U | while read pkg; do
  adb shell dumpsys package "${pkg#package:}" | grep -E 'READ_CALL_LOG|READ_PHONE_STATE'
done

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.