External risk intelligence

Android MmsSmsProvider Missing Permission Check Leads to Information Disclosure.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-28587

A critical vulnerability exists in Android's MmsSmsProvider, allowing sensitive local information disclosure due to a missing permission check. Exploitation requires no user interaction or special privileges, but the impact is limited to data accessible on the device. Confirming affected devices and assessing business

Information Disclosure

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

The vulnerability exists within a local provider component (MmsSmsProvider.java) on a device, which facilitates local information disclosure. It is not a network-accessible service, web application, or public-facing API, and typically requires local access to the device's operating system environment to be exploited.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a component of the Android operating system related to messaging services. This issue allows for the potential disclosure of sensitive information stored on a device without any user interaction or special privileges. While the vulnerability is critical, its direct impact is limited to locally stored data on the device itself.

  • Missing permission check could reveal sensitive messages.
  • Confirm relevance to our specific device fleet.
  • Understand potential local data exposure risks.

Attack Path

How an attacker could exploit the issue

An attacker can leverage this vulnerability by interacting with a local component on the device, potentially leading to the exposure of sensitive information. The vulnerability resides within the MmsSmsProvider, and an attacker could exploit it without needing user interaction or additional execution privileges.

  • Requires local access to the device.
  • Exploited via the MmsSmsProvider component.
  • Leads to local information disclosure.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow for the retrieval of sensitive information from the device's MMS and SMS provider under specific conditions, without requiring user interaction or elevated privileges. The potential exposure is limited to data accessible by the vulnerable component on the local device.

  • Local user data at risk.
  • Missing permission check allows access.
  • Information disclosure to local attacker.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in MmsSmsProvider.java could allow for local information disclosure without requiring additional privileges or user interaction. It is crucial for application owners and potentially platform teams to identify affected devices, assess business criticality, and confirm ownership before planning remediation.

  • Application owners must confirm assets.
  • Verify local device reachability first.
  • Plan remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-28587 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves a missing permission check that could allow sensitive information to be retrieved, making it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the MmsSmsProvider in Android?

MmsSmsProvider is a core system component in the Android operating system that manages the database for Multimedia Messaging Service (MMS) and Short Message Service (SMS) data. It acts as an interface that allows authorized applications to read or store text messages and media attachments on your device. Because it handles personal communications, it is designed to strictly control which apps can access this sensitive information.

What does CWE-862 mean for CVE-2026-28587?

CWE-862 refers to a 'Missing Authorization' weakness. In the context of this CVE, it means the MmsSmsProvider component fails to verify that an app or process has the correct permission before granting access to the messaging database. Essentially, the software creates a path where sensitive data can be retrieved because it neglects to perform the necessary security check to confirm if the requester is actually allowed to see that information.

Does this vulnerability trigger remotely?

No, this vulnerability does not trigger via remote network requests. It is a local issue, meaning it requires interaction with the device's operating system environment. Simply receiving a message or browsing the internet will not trigger the bug; an attacker must have a way to interact with the local MmsSmsProvider component on the physical device to access the stored data.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that this vulnerability is very unlikely to be exploited over the network. Since the flaw exists within a local component rather than a public-facing API or web service, the risk is primarily relevant if an attacker gains local access to your device. Organizations should focus on devices where local access or malicious app installation is a concern, rather than treating this as a remote, internet-wide threat.

How do I respond to this vulnerability?

First, identify which devices in your fleet are running the affected Android version. Since this is a system-level component, you cannot patch the provider manually. Work with your device manufacturers or platform teams to monitor for security updates that address this missing permission check. Prioritize your response based on the sensitivity of the data stored on those specific devices and your current mobile device management policies.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished