CVE-2026-28576 Overview
CVE-2026-28576 is a SQL injection vulnerability in the Android Contacts Provider component. An attacker can craft input that manipulates SQL queries executed against the contacts database. Successful exploitation enables local information disclosure without requiring user interaction or additional execution privileges.
The flaw affects Google Android 17.0 and is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Google addressed the issue in the Android Security Bulletin #17.
Critical Impact
Attackers can read arbitrary entries from the on-device contacts database, exposing personally identifiable information such as names, phone numbers, email addresses, and account metadata.
Affected Products
- Google Android 17.0
- Devices shipping the Contacts Provider system component
- Android-based platforms using the unpatched Contacts Provider build
Discovery Timeline
- 2026-06-17 - CVE-2026-28576 published to NVD
- 2026-06-17 - Last updated in NVD database
- 2026-06-17 - Google publishes Android Security Bulletin #17
Technical Details for CVE-2026-28576
Vulnerability Analysis
The Contacts Provider is a system content provider that exposes contact data to other applications through content:// URIs. The vulnerability stems from improper neutralization of input passed into SQL statements executed against the underlying SQLite contacts database.
An attacker-controlled application can submit malformed selection arguments, projection fields, or sort order parameters. These values are concatenated into a query rather than bound as parameters. The resulting SQL is executed with the privileges of the Contacts Provider, granting the attacker access to rows and columns that should be filtered out.
Exploitation requires only local access through the standard Android IPC surface. The vector is network-classified in the CVSS scoring because the Contacts Provider is reachable via the binder and content resolver APIs without elevated permissions in the affected build. No user interaction is required.
Root Cause
The root cause is unsanitized input flowing into a SQL query string within the Contacts Provider. Per [CWE-89], the component fails to use parameterized queries or to validate identifiers such as column names and ORDER BY clauses. Attacker-supplied SQL fragments alter query semantics and bypass row-level access checks enforced by the provider.
Attack Vector
A malicious application installed on the device queries the Contacts Provider through ContentResolver.query() with crafted arguments. The injected SQL widens the result set or pivots to sibling tables containing private contact metadata. The exploitation requires no special permissions beyond what is available to ordinary applications, and the operation runs silently in the background.
No public proof-of-concept is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The Android Security Bulletin contains the authoritative technical reference.
Detection Methods for CVE-2026-28576
Indicators of Compromise
- Applications issuing unusual content://com.android.contacts queries containing SQL metacharacters such as ', --, UNION, or stacked statements in selection arguments
- Processes accessing contact data without holding the READ_CONTACTS runtime permission
- Spikes in Contacts Provider query volume from a single non-system UID
Detection Strategies
- Inspect logcat output for Contacts Provider exceptions and malformed query warnings emitted by SQLite
- Apply mobile threat defense policies that flag applications invoking content providers with injection-style payloads
- Correlate process telemetry to identify newly installed apps that immediately enumerate contacts data
Monitoring Recommendations
- Forward Android system and audit logs to a central data lake and alert on anomalous Contacts Provider access patterns
- Track installation of unverified APKs and monitor their content resolver activity in the first hours post-install
- Baseline normal contact query volume per application and trigger alerts on deviations
How to Mitigate CVE-2026-28576
Immediate Actions Required
- Apply the Android security patch level from Android Security Bulletin #17 to all Android 17.0 devices
- Audit installed applications and remove any that request contact access without a clear business justification
- Enforce mobile device management policies that block sideloading and require updates within a defined window
Patch Information
Google published the fix in Android Security Bulletin #17. Device vendors must ship the corresponding monthly security patch level for Android 17.0. Confirm the patch level under Settings > About phone > Android security update after the OTA update completes.
Workarounds
- Restrict the READ_CONTACTS permission to vetted applications using enterprise MDM controls
- Disable or remove third-party applications that request contact access on devices that cannot receive the patch immediately
- Place high-risk users on managed work profiles that isolate the contacts database from untrusted apps
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
adb shell getprop ro.build.version.release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

