CVE-2026-28581 Overview
CVE-2026-28581 is a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java in the Android Telecom component. The flaw allows a local actor to place an emergency call without the execution privileges normally required. The issue is classified under [CWE-476] (NULL Pointer Dereference) and affects Android 14, 15, and 16, including multiple Android 16 QPR2 beta releases. Google addressed the issue in the Android Security Bulletin – June 2026.
Critical Impact
A local attacker can trigger emergency call initiation without the privileges or user interaction normally required by the Telecom framework.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google publishes fix in the Android Security Bulletin
- 2026-06-01 - CVE-2026-28581 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-28581
Vulnerability Analysis
The vulnerability resides in fixInitiatingUserIfNecessary, a helper inside CallIntentProcessor.java that normalizes the initiating user for a call intent. A logic error in this routine produces a state where an emergency call can be made without the execution privileges Android's Telecom service normally enforces. The condition does not require user interaction, and the attack surface is local to the device.
The weakness is tracked under [CWE-476]. Successful exploitation affects integrity by allowing an unauthorized state transition into the emergency calling path. Confidentiality and availability are not directly impacted based on the published CVSS vector.
Root Cause
The root cause is faulty conditional handling when reconciling the initiating UserHandle for an incoming call intent. The code path fails to validate that the caller is authorized to invoke the emergency call branch, and a null or unexpected user reference is treated as a permissible state rather than rejected. This bypasses the privilege check that should gate emergency call initiation.
Attack Vector
Exploitation requires local access to the device, such as an installed application or a process running on the handset. The attacker crafts an intent that reaches CallIntentProcessor under conditions that trigger the flawed branch in fixInitiatingUserIfNecessary. Because privileges and user interaction are not required, a low-privilege app can reach the vulnerable code without prompting the user. No public proof-of-concept or in-the-wild exploitation has been reported.
No verified exploit code is publicly available. See the Android Security Bulletin for technical specifics.
Detection Methods for CVE-2026-28581
Indicators of Compromise
- Unexpected outbound emergency call events in Telecom logs originating from non-dialer processes.
- logcat entries from the Telecom tag showing calls into CallIntentProcessor.fixInitiatingUserIfNecessary from unprivileged UIDs.
- Applications without the CALL_PRIVILEGED or emergency-related permissions invoking ACTION_CALL_EMERGENCY or related intents.
Detection Strategies
- Audit installed applications for use of Telecom-related intents and review which third-party packages trigger Telecom service activity.
- Monitor enterprise mobility management (EMM) telemetry for emergency call placement events that do not correlate with user-initiated dialer usage.
- Verify the device security patch level reported by Android matches or exceeds the June 2026 patch level.
Monitoring Recommendations
- Forward dumpsys telecom and Telecom service logs from managed devices to a central log store for analysis.
- Alert on emergency call attempts that occur outside expected user workflows, such as while the screen is locked or the dialer is not in the foreground.
- Track the ro.build.version.security_patch property across the fleet to confirm patch adoption.
How to Mitigate CVE-2026-28581
Immediate Actions Required
- Apply the June 2026 Android security patch level on all affected Android 14, 15, and 16 devices.
- Enforce a minimum security patch level policy through your EMM or MDM solution and block enrollment of non-compliant devices.
- Remove or restrict untrusted applications that request Telecom or phone-related permissions.
Patch Information
Google released the fix as part of the Android Security Bulletin – June 1, 2026. Device manufacturers ship the corresponding update under the 2026-06-01 security patch level. Pixel devices receive the update directly from Google; other OEMs distribute the fix on their own cadence.
Workarounds
- No official workaround replaces the patch. Until the update is installed, limit exposure by reviewing and removing third-party applications with Telecom integration.
- Apply EMM policies that restrict sideloading and block installation from unknown sources.
- For high-risk users, restrict device usage to a managed application allowlist until the security patch level is updated.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
