Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
MediaProvider App Can Access Files Without Permission
CVE-2026-0035
ASB-A-418773439
Summary
A mistake in the MediaProvider app allows unauthorized access to files. This could let an attacker read or write files they shouldn't be able to. To fix this, update the MediaProvider app to correct the logic error and ensure proper access controls are in place.
What to do
- Update google platform/packages/providers/mediaprovider to version 16-qpr2-next:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 15:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 16:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 16-qpr2:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 14:2026-03-01.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| android | 14.0 | – | |
| android | 15.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| platform/packages/providers/mediaprovider | > 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01 | 16-qpr2-next:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 15:0 , <= 15:2026-03-01 | 15:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 16:0 , <= 16:2026-03-01 | 16:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 16-qpr2:0 , <= 16-qpr2:2026-03-01 | 16-qpr2:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 14:0 , <= 14:2026-03-01 | 14:2026-03-01 |
Original title
In createRequest of MediaProvider.java, there is a possible way for an app to gain read/write access to non-existing files due to a logic error in the code. This could lead to local escalation of p...
Original description
In createRequest of MediaProvider.java, there is a possible way for an app to gain read/write access to non-existing files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
nvd CVSS3.1
8.4
Vulnerability type
CWE-125
Out-of-bounds Read
CWE-787
Out-of-bounds Write
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026