Skip to main content
CVE Vulnerability Database

CVE-2026-0075: Google Android SQLI Vulnerability

CVE-2026-0075 is a SQL injection flaw in Google Android that enables unauthorized access to the contacts database, leading to local privilege escalation. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-0075 Overview

CVE-2026-0075 is a SQL injection vulnerability [CWE-89] affecting multiple functions in Google Android. The flaw allows a local application to access the contacts database without additional execution privileges. Exploitation requires no user interaction and can lead to local privilege escalation.

The vulnerability affects Android 14, Android 15, and Android 16, including QPR2 beta releases. Google addressed the issue in the Android Security Bulletin published on June 1, 2026.

Critical Impact

A local malicious application can issue crafted queries that bypass intended access controls and read contacts database content, leading to information disclosure and local privilege escalation.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-06-01 - Google publishes the Android Security Bulletin addressing the issue
  • 2026-06-01 - CVE-2026-0075 published to the National Vulnerability Database (NVD)
  • 2026-06-03 - CVE-2026-0075 last modified in NVD

Technical Details for CVE-2026-0075

Vulnerability Analysis

The vulnerability is a SQL injection weakness present in multiple functions that interact with the Android contacts database. Untrusted input flows into SQL statements without proper parameterization or sanitization. A local attacker running an unprivileged application can craft input that alters query semantics.

Successful exploitation grants read access to contacts data the calling application would not otherwise possess. The Common Weakness Enumeration classification is [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).

Root Cause

The root cause is dynamic construction of SQL query strings using attacker-controlled values. The affected functions concatenate input directly into queries rather than using parameterized statements or strict input validation. This pattern enables injection across multiple call sites within the contacts provider logic.

Attack Vector

The attack vector is local. A malicious application installed on the device sends crafted parameters to the vulnerable functions through standard inter-process communication channels. No user interaction or elevated privileges are required to trigger the flaw.

The attacker uses the injection to retrieve contacts records belonging to other users or applications. This circumvents Android's permission model and contact provider boundaries. Refer to the Android Security Bulletin June 2026 for component-level technical details.

Detection Methods for CVE-2026-0075

Indicators of Compromise

  • Unusual queries from third-party applications targeting content://com.android.contacts URIs containing SQL meta-characters such as single quotes, UNION, or comment sequences.
  • Application processes accessing contacts data without holding the READ_CONTACTS permission in logcat traces.
  • Newly installed applications generating high-volume contact provider requests shortly after installation.

Detection Strategies

  • Inspect mobile application packages for ContentResolver calls that pass concatenated user input into selection arguments.
  • Review device telemetry for anomalous contacts provider activity correlated with low-reputation applications.
  • Use mobile threat defense agents to flag applications that attempt privilege escalation through provider interfaces.

Monitoring Recommendations

  • Enroll managed Android devices in an MDM platform that reports patch level and flags devices below the June 2026 security patch.
  • Monitor enterprise app catalogs and sideload events for applications that request access to the contacts provider unexpectedly.
  • Alert on Android devices that remain on Android 14, 15, or unpatched 16 builds beyond a defined remediation window.

How to Mitigate CVE-2026-0075

Immediate Actions Required

  • Apply the June 2026 Android security patch (patch level 2026-06-01 or later) to all affected devices.
  • Identify devices running Android 14, 15, or 16 and prioritize updates for those handling sensitive contact data.
  • Remove or restrict untrusted third-party applications until patches are deployed.

Patch Information

Google released fixes in the Android Security Bulletin June 2026. Device manufacturers integrate the upstream fixes into their own builds. Confirm the security patch level under Settings on each device and validate it reflects 2026-06-01 or later before considering remediation complete.

Workarounds

  • Limit installation of applications to vetted enterprise stores until devices are patched.
  • Use Android work profile separation to isolate corporate contacts from personal application contexts.
  • Disable or revoke contacts access for applications that do not require it via runtime permissions.
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output should be 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.