{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0634", "assignerOrgId": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea", "state": "PUBLISHED", "assignerShortName": "TECNOMobile", "dateReserved": "2026-01-06T01:33:04.882Z", "datePublished": "2026-04-02T08:48:45.687Z", "dateUpdated": "2026-04-02T13:35:18.680Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea", "shortName": "TECNOMobile", "dateUpdated": "2026-04-02T08:48:45.687Z"}, "title": "Code Execution in AssistFeedbackService on TECNO Pova7 Pro 5G", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-88", "description": "CWE-88 Improper neutralization of argument delimiters in a command ('argument injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "affected": [{"vendor": "TECNO Mobile", "product": "TECNO Pova7 Pro 5G", "platforms": ["Android"], "versions": [{"status": "affected", "version": "HiOS V15.1.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.  "}]}], "references": [{"url": "https://security.tecno.com/SRC/securityUpdates"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:35:14.321967Z", "id": "CVE-2026-0634", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:35:18.680Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0634", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T13:35:14.321967Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:34:54.989Z"}}], "cna": {"title": "Code Execution in AssistFeedbackService on TECNO Pova7 Pro 5G", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "affected": [{"vendor": "TECNO Mobile", "product": "TECNO Pova7 Pro 5G", "versions": [{"status": "affected", "version": "HiOS V15.1.0"}], "platforms": ["Android"], "defaultStatus": "unaffected"}], "references": [{"url": "https://security.tecno.com/SRC/securityUpdates"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.", "supportingMedia": [{"type": "text/html", "value": "Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.  ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper neutralization of argument delimiters in a command ('argument injection')"}]}], "providerMetadata": {"orgId": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea", "shortName": "TECNOMobile", "dateUpdated": "2026-04-02T08:48:45.687Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0634", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:35:18.680Z", "dateReserved": "2026-01-06T01:33:04.882Z", "assignerOrgId": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea", "datePublished": "2026-04-02T08:48:45.687Z", "assignerShortName": "TECNOMobile"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection."}], "id": "CVE-2026-0634", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-02T09:16:20.397", "references": [{"source": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea", "url": "https://security.tecno.com/SRC/securityUpdates"}], "sourceIdentifier": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["android"], "status": "affected", "versions": {"scheme": "generic", "value": "HiOS V15.1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "TECNO Pova7 Pro 5G", "source": "cna", "vendor": "TECNO Mobile"}, "product": "tecno_pova7_pro_5g", "vendor": "tecno_mobile"}], "analysis": {"en": {"generated_at": "2026-04-02T15:26:48.820077+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update released by TECNO Mobile for the Pova7 Pro 5G.", "If an update is not yet available, remove any recently installed applications that could exploit the AssistFeedbackService.", "Restrict app installation to trusted sources and disable unknown-source installations until a patch is applied.", "Regularly review device logs for signs of unexpected privilege\u2011escalating activity."], "summary": {"action": "Immediate Patch", "impact": "Local privilege escalation to system-level code execution"}, "threat_synthesis": {"affected_systems": "The flaw is present only on TECNO Mobile\u2019s Pova7 Pro 5G smartphone. No specific firmware or build identifiers are disclosed, so all units of this model may be affected unless a customer has upgraded to a patched firmware version.", "description_and_impact": "A command injection flaw in the AssistFeedbackService on TECNO Pova7 Pro 5G allows a local application to run arbitrary code with system privileges. This vulnerability can be leveraged to compromise the device, install malware, exfiltrate data, and modify system settings without user awareness.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a significant impact, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog, meaning no known widespread exploitation is recorded. The attack vector is inferred to be local: a malicious application installed on the device can trigger the service and execute code as system."}}}}, "created": "2026-04-02T20:15:26.305399+00:00", "updated": "2026-04-02T20:21:44.614921+00:00", "vendors": ["tecno_mobile", "tecno_mobile$PRODUCT$tecno_pova7_pro_5g"]}