CVE-2017-0414 Google CVE debrief

Who should care

Android platform owners, mobile device administrators, app security teams, and users of affected Android 6.0/6.0.1/7.0/7.1.0/7.1.1 devices should care, especially where untrusted apps can be installed or run on the device.

Technical summary

The vulnerability is a local information disclosure in Android Messaging (AOSP). The NVD vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, which indicates a local attacker with no privileges but requiring user interaction, and the weakness is classified as CWE-200. Per the CVE/NVD metadata, affected Android versions include 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1.

Defensive priority

Medium to High for exposed Android fleets: the technical scope is limited to local exploitation and confidentiality impact, but the issue can expose application data on devices that remain on affected builds or run untrusted apps.

Recommended defensive actions

• Apply the Android security update associated with the 2017-02-01 bulletin and confirm devices have the relevant patch level installed.
• Inventory Android devices for affected versions (6.0, 6.0.1, 7.0, 7.1.0, 7.1.1) and prioritize remediation for unmanaged or consumer-facing devices.
• Reduce exposure to untrusted or sideloaded apps, since the issue requires a local malicious application on the device.
• Review mobile app allowlisting and endpoint controls to limit what can run on impacted devices.
• Verify post-update device compliance through your mobile device management or fleet reporting system.
• If a device cannot be updated, treat it as higher risk and limit access to sensitive enterprise data where possible.

Evidence notes

This debrief is based on the CVE description supplied in the corpus, the NVD metadata for CVE-2017-0414, and the linked Android vendor advisory. The CVE was published on 2017-02-08T15:59:00.863Z. The NVD record lists the affected Android versions and the CVSS vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, and identifies CWE-200.

Official resources