PatchSiren cyber security CVE debrief

CVE-2017-0420 Google CVE debrief

CVE-2017-0420 is an Android information disclosure issue in AOSP Mail. According to the CVE description, a local malicious application could bypass operating-system protections that isolate application data from other apps, leading to unauthorized access to data the app should not have. The issue was publicly published on 2017-02-08, with Android’s security bulletin dated 2017-02-01 as a vendor reference. NVD lists the weakness as CWE-200 and includes affected Android releases spanning 4.4.4 through 7.1.1.

Vendor: Google
Product: CVE-2017-0420
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-08
Original CVE updated: 2026-05-13
Advisory published: 2017-02-08
Advisory updated: 2026-05-13

Who should care

Android security teams, mobile device managers, enterprise IT admins, and users or operators of devices still running affected Android releases, especially where AOSP Mail is deployed or relied upon.

Technical summary

The flaw is an information disclosure condition in AOSP Mail. The supplied NVD vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating a local attack path that requires user interaction and impacts confidentiality rather than integrity or availability. The CVE data and NVD CPE list indicate exposure across multiple Android versions, including 4.4.4, 5.x, 6.x, and 7.x releases. The weakness is classified as CWE-200.

Defensive priority

Medium to High. The attack requires a local malicious app and user interaction, but the confidentiality impact is significant because it can expose data isolated from other apps.

Recommended defensive actions

Apply the Android security update referenced in the 2017-02-01 Android Security Bulletin on all affected devices.
Prioritize remediation for any device still running Android 4.4.4 through 7.1.1 that has not received vendor updates.
Review whether AOSP Mail is present and used in your fleet, and replace or update it where vendor-supported fixes are available.
Restrict installation of untrusted apps and keep mobile application allowlisting or MDM controls enabled to reduce exposure to local malicious apps.
Validate device patch levels across managed Android fleets and flag any unpatched legacy devices for replacement or isolation.
Monitor third-party advisories and vendor bulletins for confirmation of the fixed build or backported remediation.

Evidence notes

Primary evidence comes from the CVE record and NVD detail. The CVE description states that a local malicious application could bypass OS protections isolating app data. NVD supplies the CVSS vector, the CWE-200 classification, and the affected Android version criteria. The Android Security Bulletin dated 2017-02-01 is the vendor advisory referenced in the source corpus.

Official resources

CVE-2017-0420 CVE record
CVE.org
CVE-2017-0420 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the Android Security Bulletin dated 2017-02-01; the CVE record was published on 2017-02-08 and later modified by NVD on 2026-05-13.