PUB-A-224769956 — Vulnetix

PUB-A-224769956 PUBLISHED CVSS 8.5 HIGH

In getMessagesByPhoneNumber of MmsSmsProvider.java, there is a possible access to restricted tables due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Risk Scores

CVSS v4.0

8.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
platform	packages/providers/TelephonyProvider	13:0, 13, 13

Timeline

Dec 1, 2022 CVE Published
May 15, 2026 CVE Updated

References

https://source.android.com/security/bulletin/2022-12-01 advisory
https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/6d3d099d902a3c258972e46e4bc033f46b73109f patch

Open in Interactive Console →