Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.0
Android Media App Can Reveal Location of Media Files
CVE-2026-0024
ASB-A-326211886
Summary
The Android media app does not properly check permissions, which could allow an attacker to access sensitive location information about media files without needing special access. This means that an attacker could potentially access more information than they should, without needing to do anything else. You should check your app's permissions and consider updating to a version that fixes this issue.
What to do
- Update google platform/packages/providers/mediaprovider to version 16-qpr2-next:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 15:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 16:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 16-qpr2:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 14:2026-03-01.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| android | 14.0 | – | |
| android | 15.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| platform/packages/providers/mediaprovider | > 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01 | 16-qpr2-next:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 15:0 , <= 15:2026-03-01 | 15:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 16:0 , <= 16:2026-03-01 | 16:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 16-qpr2:0 , <= 16-qpr2:2026-03-01 | 16-qpr2:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 14:0 , <= 14:2026-03-01 | 14:2026-03-01 |
Original title
In isRedactionNeededForOpenViaContentResolver of MediaProvider.java, there is a possible way to reveal the location of media due to a missing permission check. This could lead to local information ...
Original description
In isRedactionNeededForOpenViaContentResolver of MediaProvider.java, there is a possible way to reveal the location of media due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
nvd CVSS3.1
4.0
Vulnerability type
CWE-862
Missing Authorization
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026