Information Disclosure Vulnerability in MmsSmsProvider from Android
CVE-2026-28587

10CRITICAL

Key Information:

Vendor

Google
Status
Android
Vendor
CVE Published:
17 June 2026

What is CVE-2026-28587?

A vulnerability exists in the MmsSmsProvider component of Android due to a missing permission check. This security flaw allows malicious actors to potentially access sensitive information stored within the application, leading to local information disclosure. User interaction is not required to exploit this vulnerability, making it a concerning issue for affected devices.

Affected Version(s)

Android 17

References

https://source.android.com/docs/security/bulletin/android-17
vendor-advisory

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.