PatchSiren cyber security CVE debrief

CVE-2017-0421 Google CVE debrief

CVE-2017-0421 is an Android information disclosure issue in the Framework APIs. A local malicious application could use the flaw to bypass operating-system protections that normally isolate one app’s data from another app’s access. Google rated the issue as High in its Android security bulletin, while NVD lists a CVSS 3.0 base score of 5.5 (Medium) with confidentiality impact only. The practical concern is unauthorized access to sensitive application data on affected Android releases.

Vendor: Google
Product: CVE-2017-0421
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-08
Original CVE updated: 2026-05-13
Advisory published: 2017-02-08
Advisory updated: 2026-05-13

Who should care

Android device maintainers, OEMs, enterprise mobility teams, and security administrators responsible for fleets running affected Android versions should care most. App developers should also care because the flaw involves OS-level data isolation rather than a single third-party app.

Technical summary

NVD describes the weakness as CWE-200 (Information Exposure). The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating a local attack that requires user interaction but no privileges and primarily affects confidentiality. The issue is tied to Android Framework APIs and can allow a malicious local app to bypass app-data isolation protections. The affected Android versions named in the corpus are 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, and 7.1.1; NVD’s CPE criteria also enumerate several related 5.x–7.1.1 builds as vulnerable.

Defensive priority

High for environments that still run affected Android builds, especially devices handling sensitive corporate or personal data. Prioritize vendor security bulletin updates and verify that affected devices are on patched builds.

Recommended defensive actions

Apply the Android security bulletin updates referenced by Google for the affected release line.
Inventory devices running Android 5.x through 7.1.1 and confirm they are on patched builds.
Treat unknown or untrusted local apps as a meaningful risk on affected devices, especially where sensitive app data is stored.
Review mobile app access controls and data-handling assumptions, since the issue weakens OS isolation between applications.
Use the official NVD and Android bulletin references to confirm remediation status for your specific device model and build.

Evidence notes

This debrief is based on the NVD CVE record, which provides the vulnerability description, CVSS v3.0 vector, CWE-200 classification, and affected CPE criteria, plus Google’s Android security bulletin reference. The corpus links the issue to Android’s Framework APIs and to the February 2017 Android security bulletin. CVE published date used here is 2017-02-08; the NVD record was later modified on 2026-05-13.

Official resources

CVE-2017-0421 CVE record
CVE.org
CVE-2017-0421 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

CVE published on 2017-02-08. Google’s Android security bulletin reference in the corpus is dated 2017-02-01. The NVD record was modified on 2026-05-13; that is a metadata update, not the vulnerability’s original disclosure date.