Description
In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-02-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in the vpu_mmap function of vpu_ioctl, where a bounds check is omitted, allowing a process to request an mmap to an arbitrary physical address. An attacker who can invoke this ioctl can therefore map privileged memory into the process address space, which in turn can be leveraged to gain local escalation of privilege without the need for additional execution privileges. The vulnerability is a classic out‑of‑bounds memory access problem classified as CWE‑119, CWE‑125, and CWE‑787.

Affected Systems

The issue affects Android systems manufactured or maintained by Google. No specific version information is listed in the CNA data, so all Android releases that have not yet applied the fix are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 9.3 the technical severity is high. The EPSS score is reported as less than 1%, indicating that, as of now, the likelihood of exploitation is considered very low. The vulnerability is not present in the CISA KEV catalog. Exploitation requires local access to the device and the ability to invoke vpu_ioctl, and user interaction is not required, meaning a malicious application or system process could trigger the flaw directly.

Generated by OpenCVE AI on April 17, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android security update outlined in the Google security bulletin for February 2026, which includes a bounds check for vpu_mmap.
  • If no update is immediately available, limit the use of the vpu_ioctl interface by enforcing stricter SELinux policies or removing the driver from user‑level workloads.
  • Monitor device logs for unexpected vpu_ioctl or mmap calls and investigate any anomalous memory mapping activity.

Generated by OpenCVE AI on April 17, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Arbitrary mmap in Android vpu_ioctl

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
References

Tue, 10 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Fri, 06 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125
CWE-787
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-02-26T15:04:17.593Z

Reserved: 2025-10-23T08:42:57.001Z

Link: CVE-2026-0106

cve-icon Vulnrichment

Updated: 2026-02-05T20:40:40.613Z

cve-icon NVD

Status : Modified

Published: 2026-02-05T21:15:52.597

Modified: 2026-02-19T18:24:53.930

Link: CVE-2026-0106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses