Description
The register protection of the PowerVR GPU is incorrectly configured. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-10
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Assess Impact
AI Analysis

Impact

The register protection of the PowerVR GPU is incorrectly configured, enabling local attackers to read sensitive data without needing elevated privileges. The flaw results in a local information disclosure and does not require user interaction, simplifying exploitation. This weakness falls under CWE‑284, an access control failure that allows unauthorized data access.

Affected Systems

Google Android devices, including Pixel handsets, are affected by this misconfiguration. The advisory does not list specific Android version numbers, so the vulnerability status is not tied to any particular build; only devices using the affected PowerVR GPU configuration are at risk.

Risk and Exploitability

The CVSS score of 4 indicates moderate severity, while the EPSS score of <1 % shows a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, implying either recent discovery or low exploitation activity. Attackers would require local presence on the device and could obtain protected data without additional privileges. Overall risk is moderate, but the low exploitation probability and lack of remote access reduce immediate urgency—administrators should still promptly apply updates.

Generated by OpenCVE AI on April 16, 2026 at 09:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch that fixes the PowerVR GPU register protection issue.
  • Reinstall the device with a fresh ROM if a patch is not yet available but the device is managed and a quick fix is required.
  • Continue monitoring Google security bulletins for follow‑up advisories and keep all system components, including vendor apps, up to date.

Generated by OpenCVE AI on April 16, 2026 at 09:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Title Misconfigured PowerVR GPU Register Protection Enables Local Information Disclosure

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 10 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description The register protection of the PowerVR GPU is incorrectly configured. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-03-11T15:11:13.807Z

Reserved: 2025-10-23T08:42:59.830Z

Link: CVE-2026-0108

cve-icon Vulnrichment

Updated: 2026-03-11T15:11:04.505Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:44.227

Modified: 2026-03-11T17:14:24.670

Link: CVE-2026-0108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses