CVE-2025-10184

216.73.216.233

· Published 23/09/2025 13:15 · Modified 24/09/2025 18:11

Labels: CVE-2025-10184 2025-09-23 CVE-2025-10184 CWE-89 [email protected]

Essential information

Published: 23/09/2025 13:15
Modified: 24/09/2025 18:11
Author: —
Creator: —
CVSS: 8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
google / android	`cpe:2.3:o:google:android::::::::`