How is CVE-2026-28587 exploited?

Network reachability (required): The CVSS v4.0 vector specifies AV:N, meaning the vulnerable component is reachable over the network and an attacker does not need local device access to reach it. Authentication (not-required): PR:N indicates no account or privilege level is required; any process or app that can reach the provider can exploit the missing permission check. Victim interaction (not-required): UI:N confirms the exploit completes without any action from a device user, such as opening a message or tapping a link. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, with no race conditions or special environmental factors needed to trigger the missing permission check.

What is the impact of CVE-2026-28587?

Reads all stored SMS and MMS message content, including message body text, sender and recipient phone numbers, and timestamps. Reads contact and thread metadata associated with the messaging database, exposing social graphs and communication patterns. Modifies or deletes persisted SMS and MMS database rows, allowing an attacker to tamper with message history or plant false records. Crashes or degrades the messaging content provider, disrupting SMS and MMS functionality for the device user.

Back to search

CRITICALCVE-2026-28587Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-28587: In MmsSmsProvider of MmsSmsProvider

In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing permission check in MmsSmsProvider (Android 17) allows any app on the device to query the MMS and SMS content provider without holding the required read-contacts or read-SMS permissions. The CVSS v4.0 vector rates this as network-reachable with no authentication and no user interaction required, reflecting the broad exploitability surface of the Android platform. Successful exploitation gives an attacker full read access to stored messages and contacts, the ability to tamper with message data, and the potential to disrupt messaging service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Google publishes a fix version for Android 17.

HarborGuard Coverage

Detection

Detection of CVE-2026-28587 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-derived container images, in CI pipelines and connected registries. Any image layer containing the affected MmsSmsProvider component is flagged automatically at ingest time.

Available

Triage

Triage is available with the full CVSS v4.0 score of 10.0 (Critical) surfaced alongside per-environment compliance policy weighting, so teams with stricter Android-device policies see this routed at the highest priority. HarborGuard routes the finding to the inbox configured for the relevant team or product line within each customer org.

Available

Patch

Because no fix version has been published by Google for Android 17, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without any manual intervention once the patch ships.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The CVSS v4.0 vector specifies AV:N, meaning the vulnerable component is reachable over the network and an attacker does not need local device access to reach it.
AuthenticationNot required
PR:N indicates no account or privilege level is required; any process or app that can reach the provider can exploit the missing permission check.
Victim interactionNot required
UI:N confirms the exploit completes without any action from a device user, such as opening a message or tapping a link.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, with no race conditions or special environmental factors needed to trigger the missing permission check.

Blast Radius

Reads all stored SMS and MMS message content, including message body text, sender and recipient phone numbers, and timestamps.
Reads contact and thread metadata associated with the messaging database, exposing social graphs and communication patterns.
Modifies or deletes persisted SMS and MMS database rows, allowing an attacker to tamper with message history or plant false records.
Crashes or degrades the messaging content provider, disrupting SMS and MMS functionality for the device user.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-28587 is currently unpatched, so the platform monitors the Google Android Security Bulletin and upstream AOSP repositories on every ingest cycle for a fix targeting Android 17. While no patch is available, customers can apply compensating controls through HarborGuard policy rules, including network-policy isolation to restrict untrusted app containers from reaching content-provider endpoints, egress filtering to limit outbound data paths from the affected component, and feature-flag gating to disable MMS processing in images where it is not operationally required. For customers who opt into auto-remediation, a rebuilt image and regression-test run will be triggered automatically and a PR will be opened against affected workloads within minutes of Google publishing a fix version, with no manual steps required.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified