MEDIUM 5.9

CVE-2026-0075: Android SQL Injection in Contacts Database – Privilege Escalation Risk

CVE-2026-0075 is a SQL injection vulnerability in Google Android's contact database access functions that allows local attackers to escalate privileges without needing special permissions or user interaction. An attacker with local access to an Android device can exploit this flaw to read, modify, or delete contact information and potentially gain elevated system privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-89
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

Multiple functions in Google Android contain SQL injection flaws (CWE-89) in contact database query handling. The vulnerability exists in the contact database access layer, where unsanitized input is passed directly into SQL queries. By crafting malicious SQL statements, a local attacker can execute arbitrary database operations, bypassing normal access controls. The attack requires only local code execution capability—no additional privileges are needed, and exploitation can occur without user interaction or awareness.

Business impact

Organizations deploying Android devices face potential data breaches affecting sensitive contact information stored on employee and user devices. Loss of contact database confidentiality could expose customer lists, vendor relationships, and communications patterns. In BYOD environments, compromised contacts may propagate across personal and corporate networks. The privilege escalation component creates a pathway for attackers to gain deeper system control, potentially enabling installation of persistent malware or lateral movement within corporate infrastructure.

Affected systems

Google Android is affected across multiple versions and variants. Organizations should determine which Android versions are deployed in their environment by checking security bulletin details and vendor advisories. The vulnerability affects the contacts application framework component that handles database access. Users of any Android device may be impacted depending on their specific version and patch status.

Exploitability

The attack surface is local only—an attacker must first achieve code execution on the Android device. However, the absence of privilege requirements or user interaction significantly lowers the bar for exploitation once that foothold is established. Malicious apps, compromised system services, or physical access scenarios could serve as entry points. The CVSS 3.1 score of 5.9 (MEDIUM) reflects moderate severity due to local-only access combined with meaningful impact on confidentiality, integrity, and availability of contact data.

Remediation

Apply the latest security patch from Google for your Android version as soon as it becomes available. Contact database access functions should be updated to use parameterized queries or prepared statements that separate SQL logic from user-supplied data. Organizations should enforce device management policies requiring timely patching and consider restricting installation of apps from untrusted sources to reduce the risk of malicious code execution on managed devices.

Patch guidance

Monitor Google's Android Security & Privacy Year in Review and monthly security bulletins for patch releases addressing CVE-2026-0075. Patches will be distributed through Google Play System Update for devices enrolled in the Android security update program. Verify the specific patch version required for your deployed Android versions by consulting the official Google security advisory. Prioritize patching devices with high contact data sensitivity or elevated risk profiles. Test patches in a staging environment before broad deployment to ensure compatibility with your applications and workflows.

Detection guidance

Monitor for suspicious SQL query patterns in device logs and system audit trails that could indicate contact database exploitation attempts. Look for unexpected database access from privileged processes, unusual contact database file modifications, or anomalous contact list changes. On managed devices, enable enhanced logging for the contacts framework and review access logs for queries containing SQL keywords (SELECT, INSERT, UPDATE, DELETE) in unexpected contexts. Network monitoring may detect exfiltration of contact data to external servers following successful exploitation.

Why prioritize this

This vulnerability merits prompt attention because it requires no special permissions or user interaction, making it a realistic threat in scenarios where malicious code already executes locally—such as malware, compromised apps, or physical access. The direct impact on sensitive contact data and the privilege escalation pathway create meaningful business risk. Although local-only access somewhat limits exposure compared to remote flaws, the ease of exploitation once code execution is achieved and the sensitivity of contacts data justify treatment as a medium-priority patch target across managed Android deployments.

Risk score, explained

The CVSS 3.1 score of 5.9 (MEDIUM) reflects three key factors: (1) local attack vector only, limiting but not eliminating practical risk; (2) low attack complexity with no special preconditions; (3) partial but meaningful impact on confidentiality (contact disclosure), integrity (contact modification), and availability (contact deletion). The score appropriately captures that the vulnerability poses real but contained risk—not critical, but requiring timely remediation in any environment where Android security posture is treated seriously.

Frequently asked questions

Who is at risk from this vulnerability?

Any organization or user running affected Google Android versions is at risk. The threat is most acute for users who install apps from untrusted sources, visit malicious websites on their device, or are targeted by sophisticated attackers who can achieve initial code execution. BYOD and personally-owned devices in corporate networks present additional risk vectors if not actively managed.

Can this vulnerability be exploited remotely over the network?

No. CVE-2026-0075 is a local-only vulnerability requiring prior code execution on the Android device. An attacker cannot exploit this flaw directly from the network; they must first compromise or gain execution capability on the device itself through other means such as malware, social engineering, or physical access.

What data can be accessed or modified through this vulnerability?

The vulnerability specifically targets the Android contacts database. Attackers can read contact records, modify contact information, or delete contacts. In some scenarios, depending on database permissions and device configuration, attackers might access related data or metadata. Organizations should assume complete contact database confidentiality and integrity can be compromised if this flaw is exploited.

Does Google have a patch available yet?

Consult Google's official Android security bulletins and advisories for current patch availability. Security patches are typically released through the Android security update program and distributed via Google Play System Update. The timeframe between CVE publication and patch availability varies; verify against official Google sources before deploying remediation measures.

This analysis is based on CVE-2026-0075 public disclosure data as of June 2026. Exploit code is not provided; this content is for authorized security research and remediation planning only. Organizations should verify all patch version numbers, affected product lists, and timelines directly against official Google Android security advisories and KEV catalogs before implementation. SEC.co assumes no liability for patch deployment outcomes or security incidents. This content does not constitute legal advice or guarantee against actual exploitation. Always test patches in controlled environments prior to production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).