CVE-2026-40002
Privilege Escalation via Unvalidated Service Interface in Red Magic 11 Pro
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: ZTE Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zte | red_magic_11_pro | nx809j |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Red Magic 11 Pro (NX809J) has a vulnerability where non-privileged applications can trigger sensitive operations because the system does not properly validate which applications can access a certain service interface.
This flaw allows an attacker to write files to specific partitions and modify writable system properties, actions that should normally require higher privileges.
How can this vulnerability impact me? :
Exploiting this vulnerability could allow an attacker to write unauthorized files to important partitions and change system properties, potentially compromising system integrity and security.
Since the attacker only needs limited privileges to perform these actions, it increases the risk of unauthorized modifications and possible further exploitation.