How is CVE-2026-0075 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required. Authentication (required): Any low-privilege account or app execution context is sufficient; no admin or elevated privileges are needed before exploitation. Victim interaction (not-required): No user action is required; exploitation proceeds without any social engineering or user-triggered event. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors need to align for it to succeed.

What is the impact of CVE-2026-0075?

Reads arbitrary records from the contacts database, exposing names, phone numbers, email addresses, and associated metadata stored on the device. Modifies or deletes persisted contact records, enabling data tampering or destruction of stored personal information. Triggers a local privilege escalation, potentially allowing the attacker to execute code or access resources beyond the contacts provider's normal permission boundary.

Back to search

HIGHCVE-2026-0075Published 2026-06-01Modified 2026-06-03CNA google_android

CVE-2026-0075: In multiple functions, there is a possible way to access the contacts database due to a SQL injection

In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in multiple functions of the Android contacts database provider allows a local attacker to access and manipulate contact data without requiring elevated privileges. The vulnerability is reachable locally, meaning an attacker with an existing low-privilege shell or app execution context on the device can exploit it without any user interaction. Successful exploitation enables local privilege escalation, giving the attacker full read, write, and availability impact on the affected component. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-0075 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android-derived or AOSP-based container images. Any image carrying an affected Android version (14, 15, 16, or 16-qpr2) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

Triage is available with a CVSS v3.1 base score of 7.8 (HIGH), surfaced alongside per-environment compliance policy weighting to reflect each organization's risk tolerance. Findings are routed to the appropriate team inbox within each customer org based on configured policy and image ownership.

Available

Patch

Because no fix version has been published for CVE-2026-0075, HarborGuard re-checks the upstream Android security advisory on every ingest cycle and will make a patched-image rebuild available the moment Google publishes a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required.
AuthenticationRequired
Any low-privilege account or app execution context is sufficient; no admin or elevated privileges are needed before exploitation.
Victim interactionNot required
No user action is required; exploitation proceeds without any social engineering or user-triggered event.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors need to align for it to succeed.

Blast Radius

Reads arbitrary records from the contacts database, exposing names, phone numbers, email addresses, and associated metadata stored on the device.
Modifies or deletes persisted contact records, enabling data tampering or destruction of stored personal information.
Triggers a local privilege escalation, potentially allowing the attacker to execute code or access resources beyond the contacts provider's normal permission boundary.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-0075, the platform monitors the Google Android security advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow immediately, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes once an upstream fix exists. In the interim, compensating controls worth considering include network-policy isolation for services that bundle affected Android platform components, restricting app-level permissions to the contacts provider via Android permission policies where feasible, and feature-flag gating of any functionality that surfaces contact data to untrusted input paths. HarborGuard continues to surface this finding in every scan of affected images until a patched version is confirmed present.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified