PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-0424 Google CVE debrief

CVE-2017-0424 is an information disclosure vulnerability in Android AOSP Messaging affecting Android 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1 per the supplied NVD CPE data. The issue can let a specially crafted file expose data outside intended permission boundaries, weakening a defense-in-depth or exploit-mitigation control in a privileged process. NVD rates the issue Medium (CVSS 5.5) with high confidentiality impact and no integrity or availability impact. The supplied description says a remote attacker could trigger it, while the NVD CVSS vector classifies the attack as local with required user interaction, so defenders should rely on the published advisory and patch guidance rather than the shorthand description alone.

Vendor
Google
Product
CVE-2017-0424
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-08
Original CVE updated
2026-05-13
Advisory published
2017-02-08
Advisory updated
2026-05-13

Who should care

Android fleet owners, OEMs, mobile security teams, and MDM/UEM administrators supporting affected AOSP Messaging builds on Android 6.x and 7.x. Teams that handle untrusted files or manage devices that may not receive timely OS updates should pay particular attention.

Technical summary

The vulnerability is a CWE-200 information disclosure in AOSP Messaging. According to the supplied NVD data, the attack vector is CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating user interaction is required and the primary impact is confidential data exposure. The vendor description frames the issue as a bypass for a user-level defense-in-depth or exploit-mitigation technology in a privileged process. Because the provided narrative and the CVSS vector differ on attack reachability, remediation should be based on the official Android/NVD references.

Defensive priority

Medium. This is a confidentiality issue rather than an execution or integrity flaw, but it can still expose protected data and undermine defenses in a privileged process. Patch affected Android builds as soon as vendor updates are available, especially on managed devices that routinely process untrusted files.

Recommended defensive actions

  • Apply the Android security bulletin update referenced by the vendor advisory for affected builds.
  • Confirm device exposure against the NVD-listed affected Android versions: 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1.
  • Prioritize patching on fleet devices that handle untrusted files or rely on Messaging-related workflows.
  • Use mobile management policy to verify OS security patch levels and remove or isolate unpatched devices from sensitive data.
  • Track vendor advisories and NVD updates for any additional clarifications or superseding remediation guidance.

Evidence notes

NVD describes CVE-2017-0424 as an information disclosure in AOSP Messaging and assigns CWE-200. The supplied CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The NVD CPE criteria list Android 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1 as vulnerable. The Android security bulletin referenced in NVD is https://source.android.com/security/bulletin/2017-02-01.html. No KEV data was supplied for this CVE.

Official resources

CVE published on 2017-02-08 per the supplied timeline. The vendor advisory referenced by NVD is dated 2017-02-01. No KEV date is listed in the supplied enrichment.