MEDIUM 4.0

CVE-2026-28581: Android Emergency Call Logic Error Vulnerability

A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.0 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-476
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In fixInitiatingUserIfNecessary of CallIntentProcessor.java, there is a possible way to make an emergency call due to a logic error in the code. This could lead to local with null execution privileges needed. User interaction is null for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-28581 is a null pointer dereference vulnerability (CWE-476) located in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. The flaw permits unauthorized emergency call initiation due to insufficient authorization logic. The vulnerability requires local access and no special privileges, but successfully bypasses the intended user authorization framework through improper null handling during the user context initialization phase. The CVSS v3.1 score of 4.0 reflects the integrity impact with no confidentiality or availability concerns.

Business impact

This vulnerability could undermine emergency services infrastructure by allowing unauthorized applications to place emergency calls, potentially flooding emergency dispatch systems with fraudulent calls or disrupting legitimate emergency access. Organizations deploying Android devices should assess whether their security policies and app vetting processes adequately prevent installation of malicious apps that could exploit this flaw. The integrity impact is limited to the unauthorized initiation action itself, but the reputational and operational consequences of emergency service abuse warrant prompt remediation.

Affected systems

The vulnerability affects multiple versions of Google Android. Verification of specific affected versions and confirmation of patched releases should be cross-referenced against the official Android security bulletin and Google's vendor advisories. Organizations running Android devices in their environment should consult Google's documentation to identify which devices and OS versions require updates.

Exploitability

Exploitation requires local access to an Android device and involves a malicious or compromised application leveraging the logic error to bypass call authorization. No user interaction is necessary—a background app could trigger the flaw. However, the attack surface is somewhat constrained by the requirement to execute code locally and the need for an app to be installed on the device. The ease of exploitation is moderate once an app is present on the system.

Remediation

Apply the security patch released by Google for the affected Android versions. Ensure all Android devices in your environment are updated to the patched release. Additionally, implement robust app vetting policies to prevent installation of untrusted applications, and consider deploying mobile device management (MDM) solutions that enforce app allowlisting and disable sideloading on user devices.

Patch guidance

Consult Google's official Android Security & Privacy bulletin for the specific patched Android version addressing CVE-2026-28581. Verify the patch version number against Google's vendor advisory before deployment. Test patches in a staging environment to ensure compatibility with deployed applications. For enterprise deployments, coordinate patch rollout through MDM platforms to ensure consistent coverage across all Android devices.

Detection guidance

Monitor for suspicious calls or emergency dialing logs from applications not expected to initiate calls. Use Android security scanning tools and MDM solutions to flag apps with broad permissions related to call handling. Review application permissions and runtime behavior for apps requesting CALL_PHONE or related emergency dialing capabilities. Implement audit logging on Android devices to capture call initiation events and correlate them with application activity.

Why prioritize this

Although rated MEDIUM severity, this vulnerability should be prioritized for rapid patching because emergency call system abuse has direct operational and public safety implications. Malicious exploitation could disrupt emergency services or damage organizational reputation. The lack of user interaction required for exploitation and the straightforward attack vector (local app execution) make this a practical threat even with low CVSS scores. Organizations managing Android devices should treat this as a near-term remediation target.

Risk score, explained

The CVSS 3.1 score of 4.0 (MEDIUM) reflects low attack complexity, no privileges required, and local access as the primary constraint (AV:L). The integrity impact (I:L) acknowledges that unauthorized emergency calls represent a state change in the device's authorized functions, while confidentiality and availability are unaffected. The score does not fully capture the potential impact to emergency services infrastructure, making this a case where organizational risk context should elevate the priority beyond the numeric score.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local code execution—an attacker must have an app installed or running on the target Android device. Remote exploitation is not possible.

What versions of Android are affected?

Multiple Android versions are listed as affected in the source data. Consult Google's official Android Security Bulletin and vendor advisories to confirm the exact version ranges and their corresponding patch releases.

Does the attacker need special privileges to exploit this?

No. The vulnerability can be exploited without elevated privileges, meaning a standard application with appropriate (or abused) permissions can trigger the flaw.

How quickly should we patch this?

Given the integrity impact to emergency call systems and the lack of user interaction required, prioritize this patch within your standard security update cycle—ideally within 2-4 weeks of your Android vendor's release, after thorough testing.

This analysis is based on publicly available vulnerability data current as of the publication date. Patch version numbers and affected product versions must be verified against official Google Android security advisories before deployment. This information is provided for informational purposes to support security decision-making and should not be construed as legal or compliance advice. Organizations should conduct their own risk assessment based on their specific deployment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).