CVE-2023-29726
Description
The Call Blocker application 6.6.3 for Android incorrectly opens a key component that an attacker can use to inject large amounts of dirty data into the application's database. When the application starts, it loads the data from the database into memory. Once the attacker injects too much data, the application triggers an OOM error and crashes, resulting in a persistent denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Call Blocker 6.6.3 for Android exposes a content provider that lets an attacker fill the database with large rows, causing OOM crash on app restart.
Vulnerability
The Call Blocker application version 6.6.3 for Android (package com.cuiet.blockCalls) exposes a key component — the content provider at URI content://com.cuiet.blockCalls.ContProvBlockCalls — without proper access restrictions. An attacker can use this component to insert arbitrarily large rows into the application's database (specifically the tbBlackList table). When the app subsequently starts, it loads the entire database into memory, and the excessive data triggers an OutOfMemoryError (OOM), causing a persistent crash and denial of service. The vulnerable app is distributed on Google Play [1][2].
Exploitation
An attacker requires only the ability to run an Android app on the same device (no special permissions or root access). The attack can be performed by a malicious local application that calls the exposed ContentResolver.insert() method on the vulnerable content provider. A proof-of-concept (PoC) [3] demonstrates a loop that repeatedly inserts rows with large random strings (5210 characters each) into the photo_uri and numeroContatto columns of tbBlackList. No user interaction with Call Blocker is needed during the injection phase; the denial of service occurs on the next launch of Call Blocker.
Impact
Successful exploitation results in a persistent denial of service. The Call Blocker application crashes each time the user attempts to start it, making the app permanently unusable unless the injected data is removed from the database. The user cannot block calls or use any of the app's features. This is a complete loss of availability for the targeted application. No data confidentiality or integrity is directly compromised.
Mitigation
No official fix or update has been released by the vendor (Fiorenza Francesco) as of the publication date. Users are advised to uninstall the vulnerable version (6.6.3) and monitor the Google Play listing for a patched version. As a manual workaround, a user with root or ADB access could delete or clear the application's database to restore functionality. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Call Blocker/Call Blockerdescription
- Range: =6.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.