Particle.news
Download on the App Store
3 ARTICLES
·
7h ago

OnePlus OxygenOS Bug Lets Apps Read SMS Without Permission as Patch Rollout Targets Mid-October

OnePlus plans a global update following Rapid7’s disclosure that its telephony changes exposed SMS data.

Image

Overview

  • Rapid7 reported a permission-bypass flaw that lets any installed app access SMS and MMS contents and metadata without user consent or interaction.
  • The vulnerability affects OxygenOS versions 12 through 15, with tests confirming impact on the OnePlus 8T and 10 Pro and researchers noting the list is not exhaustive.
  • Tracked as CVE-2025-10184, the issue stems from OnePlus-added Telephony content providers with misconfigured permissions that bypass Android’s READ_SMS protections.
  • Rapid7 said months of outreach to OnePlus went unanswered before public disclosure this week; OnePlus later acknowledged the flaw and says it has implemented a fix.
  • OnePlus says a global software update will begin in mid-October, and users are advised to minimize installed apps, use trusted sources, and switch from SMS-based MFA until patching.