CVE-2025-10184 HIGH

CVE-2025-10184: OnePlus OxygenOS Telephony provider permission bypass

Vendor Oneplus
Product OxygenOS
Weakness CWE-862 · Missing authorization
Published September 23, 2025
Last update September 23, 2025
View on NVD All CVEs

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

Key dates

02Disclosure timeline

September 23, 2025 CVE published
September 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-66124 WordPress Leaky Paywall plugin <= 4.22.6 - Broken Access Control vulnerability CVE-2024-31248 WordPress All-in-One Video Gallery plugin <= 3.5.2 - Broken Access Control vulnerability CVE-2025-25241 Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests) CVE-2026-32390 WordPress Nanosoft theme < 1.3.2 - Broken Access Control vulnerability CVE-2026-3895 WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting