CVE-2026-0085: Android Contact Handler Denial of Service Vulnerability
A flaw in Android's contact data handling allows a local attacker to crash the system by inserting an unusually large contact name. The vulnerability exists in the DataRowHandler component, which fails to properly validate the size of contact name input before processing it. Because the attack requires only local access and no special privileges, any app on a compromised device could trigger the denial of service without user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In applySimpleFieldMaxSize of DataRowHandler.java, there is a possible way to insert a large contact name due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0085 is an improper input validation flaw (CWE-20) in the applySimpleFieldMaxSize method of DataRowHandler.java in Google Android. The vulnerability permits insertion of contact names exceeding expected size constraints, leading to local denial of service conditions. The CVSS 3.1 score of 5.5 (MEDIUM severity, vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects local attack vector, low complexity, low privilege requirement, and high availability impact with no confidentiality or integrity risk.
Business impact
Organizations relying on Android devices for business communications face service disruption risk. A compromised employee device could become unstable or unresponsive, hindering mobile workforce productivity. The impact is primarily operational rather than data-focused, since the vulnerability only affects availability. In environments with tight device management, this may cascade into support incidents and temporary loss of mobile communication capability.
Affected systems
Google Android is the affected platform. The vulnerability resides in the DataRowHandler component responsible for contact data processing. All Android versions and devices using the vulnerable code path are potentially impacted. Verify specific version ranges and patch availability against official Google Android security bulletins, as version-specific details are not yet disclosed in initial vulnerability notices.
Exploitability
The attack surface is local and low-friction. An attacker with a foothold on the device (low privilege) can exploit this without user interaction or complex setup steps. No network access is required. This makes it a practical post-compromise persistence or denial-of-service vector for malware running with basic app permissions. The lack of complexity and low privilege bar increase practical exploitability in real-world attack scenarios.
Remediation
Patch Android systems as soon as vendor updates become available. Organizations should prioritize deployment in environments where mobile service availability directly supports business operations. For interim periods, restrict untrusted app installation and enforce app permission auditing to limit local code execution risk. Monitor device stability logs for signs of repeated crashes tied to contact operations.
Patch guidance
Await official Google Android security patches from the June 2026 security update cycle or later, depending on device manufacturer release schedules. Apply patches through Android System Updates as soon as they reach your device. Device manufacturers and carriers often delay patches; contact your device vendor or mobile carrier for specific timelines. Test patches in a non-production environment first to confirm no side effects on contact sync or data management workflows.
Detection guidance
Monitor system logs for repeated crashes or restarts of the contacts application or the system_server process handling contact data. Detect attempts to insert unusually large contact name fields through database monitoring or contact sync auditing tools. Correlate crashes with suspicious app activity using Mobile Device Management (MDM) logs if available. Stack traces mentioning DataRowHandler or applySimpleFieldMaxSize are direct indicators of exploitation attempts.
Why prioritize this
Although rated MEDIUM severity, prioritize patching based on device criticality and app exposure. Devices used for sensitive communications or business operations warrant faster deployment. The low attack complexity and lack of privilege escalation requirements mean malware can easily trigger the flaw once resident on a device. Combine patch deployment with endpoint monitoring to catch exploitation attempts in the interim.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a local-only attack vector and low complexity, balanced against high availability impact. There is no confidentiality or integrity compromise, limiting the rating. The low privilege requirement and absence of user interaction lower the barrier to exploitation. In isolation, the score is moderate; however, in environments where device availability underpins business continuity, practical risk may be higher.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-0085 is a local vulnerability only. The attacker must already have code execution on the device. It cannot be exploited via network, email, or web browsing alone.
Will this lead to data theft or account compromise?
No. The vulnerability only affects availability (denial of service). It does not compromise confidentiality or integrity, so contact data is not leaked and accounts are not hijacked. The impact is service disruption, not data loss.
Which Android versions are affected?
Google has not yet disclosed specific version ranges in publicly available details. Check the official Android Security & Privacy Year in Review or device manufacturer security bulletins for your specific Android release. Apply patches as they become available for your device.
What should I do if I cannot patch immediately?
Restrict app permissions to essential apps only, monitor device stability, and keep MDM tools updated to detect suspicious activity. Avoid sideloading untrusted apps. Combine these interim controls with a clear patch deployment timeline.
This analysis is based on publicly disclosed vulnerability information as of the publication and modification dates provided. Specific affected Android versions, detailed patch timelines, and manufacturer-specific deployment guidance are subject to change and should be verified against official Google Android security advisories and your device manufacturer's security updates. No exploit code or weaponized proof-of-concept is provided. Use this information for risk assessment and patch planning only. Always test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10938MEDIUMChrome Site Isolation Bypass via Input Validation Flaw
- CVE-2026-10980MEDIUMChrome Same-Origin Policy Bypass in DevTools – Patch Guidance