ASB-A-369105011 — Vulnetix

ASB-A-369105011 PUBLISHED

In multiple locations, there is a possible way to delete media without the MANAGE_EXTERNAL_STORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Vendor	Product	Versions
platform	packages/providers/MediaProvider	16-qpr2-next:0, 16-qpr2-next, 15:0

Timeline

Mar 1, 2026 CVE Published
May 15, 2026 CVE Updated

References

https://source.android.com/security/bulletin/2026-03-01 advisory
https://android.googlesource.com/platform/packages/providers/MediaProvider/+/1b7d4ce446d149a34d8b317d41127379f017165d patch

Open in Interactive Console →