CVE-2026-28615: In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass
In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v4.0
- 10.0
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a permissions bypass vulnerability in the Android Telecomm component affecting Android 17. The flaw is reachable over the network with no authentication or user interaction required, and all three impact dimensions (confidentiality, integrity, and availability) are rated high for both the vulnerable system and downstream systems. Successful exploitation allows an attacker to initiate unauthorized phone calls and escalate privileges locally on the device without any additional permissions. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Google publishes a fix version.
HarborGuard Coverage
Detection for CVE-2026-28615 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-based container images in CI pipelines and registries. Any image derived from or bundling an affected Android 17 component is flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at its full CVSS v4.0 weight of 10.0 (Critical) and weighting it further against each customer organization's compliance policy to determine urgency tier. Triage routing rules direct the finding to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the Google Android advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. Until then, the CVE remains in an open, unresolved state within each customer's finding queue for continued tracking.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerability is reachable over the network (AV:N), meaning an attacker can trigger it remotely without needing physical or local access to the device.
- AuthenticationNot required
No credentials or existing account are needed (PR:N); the attacker can exploit this as an unauthenticated party.
- Victim interactionNot required
Exploitation requires no action from a device user (UI:N); the attacker can trigger the flaw entirely without social engineering.
- Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- A successful attacker initiates unauthorized outbound phone calls from the compromised device, bypassing Android's telephony permission model.
- The attacker gains local privilege escalation, elevating their execution context on the device without needing any pre-granted elevated permissions.
- All three confidentiality, integrity, and availability dimensions are rated high for both the vulnerable system and any connected or dependent systems, meaning the attacker reads stored data, modifies system state, and can disrupt device functionality.
- The scope extends beyond the immediate process boundary (SC:H, SI:H, SA:H), so compromise of the Telecomm component can affect other components and services on the same device.
How HarborGuard Handles This
Available on HarborGuard: this CVE is tracked at Critical severity (CVSS v4.0 10.0) with no upstream fix currently published. HarborGuard continuously re-evaluates the Google Android advisory on every ingest cycle, so a patched-image rebuild will become available to customers automatically and without manual intervention the moment Google publishes a fix version. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads as soon as the fix lands. In the interim, compensating controls available within HarborGuard policy configuration include network-policy isolation rules to restrict which workloads can reach Telecomm-exposed surfaces, egress filtering to block unauthorized outbound telephony paths, and feature-flag gating to suppress affected functionality in images where the Telecomm component is not operationally required. Where compliance policy permits, high-priority alerting for this CVE can be configured to page on-call teams immediately upon detection in any newly pushed image.
- Google / Android17
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H