CVE-2026-0634: CWE-88 Improper neutralization of argument delimiters in a command ('argument injection') in TECNO Mobile TECNO Pova7 Pro 5G
CVE-2026-0634 is a high-severity vulnerability in the AssistFeedbackService component of TECNO Mobile's TECNO Pova7 Pro 5G running HiOS V15. 1. 0. It allows local applications with limited privileges to execute arbitrary code with system-level permissions via command injection due to improper neutralization of argument delimiters. This vulnerability can lead to full compromise of confidentiality, integrity, and availability on affected devices. No public exploits are known at this time, and no patch or remediation information is currently available.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-0634) involves improper neutralization of argument delimiters (CWE-88) in the AssistFeedbackService on TECNO Pova7 Pro 5G devices running HiOS V15.1.0. Local apps with limited privileges can exploit this command injection flaw to execute arbitrary code with system privileges, potentially leading to complete device compromise. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability. The vulnerability was published on April 2, 2026, and no patches or official fixes have been disclosed by TECNO Mobile as of now.
Potential Impact
Successful exploitation allows local attackers to execute arbitrary code with system-level privileges, resulting in full compromise of the device's confidentiality, integrity, and availability. This could enable unauthorized control over the device and its data. There are no known public exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict installation and execution of untrusted local applications on affected devices to reduce risk.
CVE-2026-0634: CWE-88 Improper neutralization of argument delimiters in a command ('argument injection') in TECNO Mobile TECNO Pova7 Pro 5G
Description
CVE-2026-0634 is a high-severity vulnerability in the AssistFeedbackService component of TECNO Mobile's TECNO Pova7 Pro 5G running HiOS V15. 1. 0. It allows local applications with limited privileges to execute arbitrary code with system-level permissions via command injection due to improper neutralization of argument delimiters. This vulnerability can lead to full compromise of confidentiality, integrity, and availability on affected devices. No public exploits are known at this time, and no patch or remediation information is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-0634) involves improper neutralization of argument delimiters (CWE-88) in the AssistFeedbackService on TECNO Pova7 Pro 5G devices running HiOS V15.1.0. Local apps with limited privileges can exploit this command injection flaw to execute arbitrary code with system privileges, potentially leading to complete device compromise. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability. The vulnerability was published on April 2, 2026, and no patches or official fixes have been disclosed by TECNO Mobile as of now.
Potential Impact
Successful exploitation allows local attackers to execute arbitrary code with system-level privileges, resulting in full compromise of the device's confidentiality, integrity, and availability. This could enable unauthorized control over the device and its data. There are no known public exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict installation and execution of untrusted local applications on affected devices to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TECNOMobile
- Date Reserved
- 2026-01-06T01:33:04.882Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69ce3203e6bfc5ba1dc4189f
Added to database: 4/2/2026, 9:08:19 AM
Last enriched: 4/10/2026, 12:11:44 AM
Last updated: 5/20/2026, 9:42:04 PM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.