How is CVE-2026-28576 exploited?

Network reachability (required): The vulnerability is reachable over the network; an attacker must be able to send requests to the exposed Contacts Provider endpoint to deliver a malicious query. Authentication (not-required): No account or credential of any privilege level is needed; the attacker can interact with the content provider anonymously. Victim interaction (not-required): The exploit completes without any action from a user on the affected device or system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

What is the impact of CVE-2026-28576?

Reads the full contacts database, including names, phone numbers, email addresses, and any custom fields stored by applications using the provider. Modifies or deletes persisted contact records, corrupting data visible to every app that queries the provider. Crashes or degrades the Contacts Provider service, making contact lookup unavailable to dependent applications. The CVSS v4.0 vector records high impact on both the vulnerable system and downstream systems, meaning any service that consumes contacts data inherits the exposure.

Back to search

CRITICALCVE-2026-28576Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-28576: In Contacts Provider, there is a possible way to access the contacts database due to SQL injection

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in the Android Contacts Provider allows an attacker to interact with the contacts database without any authentication or user action. The vulnerability is reachable over the network and requires no privileges, meaning an attacker can send a crafted query directly to the exposed content provider. Successful exploitation gives the attacker full read access to stored contacts data, the ability to modify or delete records, and the ability to disrupt the availability of the contacts service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Google publishes a fix for Android 17.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-28576 is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Android-based container images. Any image carrying an affected version of Android 17 is flagged in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 10.0 (Critical) and weighting that score against each customer environment's compliance policy. Triage routing can direct findings to the appropriate team inbox within each customer organization based on configured severity thresholds and workload ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google releases a corrected Android 17 build. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network; an attacker must be able to send requests to the exposed Contacts Provider endpoint to deliver a malicious query.
AuthenticationNot required
No account or credential of any privilege level is needed; the attacker can interact with the content provider anonymously.
Victim interactionNot required
The exploit completes without any action from a user on the affected device or system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

Reads the full contacts database, including names, phone numbers, email addresses, and any custom fields stored by applications using the provider.
Modifies or deletes persisted contact records, corrupting data visible to every app that queries the provider.
Crashes or degrades the Contacts Provider service, making contact lookup unavailable to dependent applications.
The CVSS v4.0 vector records high impact on both the vulnerable system and downstream systems, meaning any service that consumes contacts data inherits the exposure.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against all customer images carrying Android 17. Because no upstream patch exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment Google publishes a fix. In the interim, compensating controls worth considering include network-policy rules that restrict which services can reach the Contacts Provider endpoint, egress filtering to limit lateral movement from a compromised host, and feature-flag gating to disable contact-sync functionality in workloads where it is not strictly required. Customers whose compliance policy flags Critical-severity CVEs for immediate escalation will see this issue routed to the appropriate inbox automatically.

See how HarborGuard automates this

Affected packages

Android / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified