Description
In vpu_open_inst of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-10
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

A race condition in the Android VPU driver’s vpu_open_inst function can trigger a use‑after‑free pointer, allowing an attacker on the same device to gain elevated privileges without requiring additional execution rights or user interaction. The flaw stems from improper memory management in a concurrent environment, as identified by CWE‑362 and CWE‑416.

Affected Systems

This vulnerability impacts Android devices running the Google Android operating system, as indicated by the CPE snake string and vendor list. No specific subsystem or version range is provided, so the flaw is presumed to affect all builds that include the affected VPU driver until a patch is applied.

Risk and Exploitability

The CVSS score of 7.4 implies a high severity for local escalation. The EPSS score of less than 1% suggests that exploitation is unlikely to be widespread or automated, and the vulnerability is not listed in the CISA KEV catalog. Exploitation does not require network or user‑initiated action; a malicious application or script able to invoke the vulnerable ioctl would be sufficient.

Generated by OpenCVE AI on April 16, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android OTA update that contains the vendor‑supplied patch for the VPU driver.
  • If an update is not immediately available, restrict access to the vpu_ioctl interface by applying SELinux policy changes to limit usage to trusted system binaries only.
  • Monitor device logs for any unusual access to the VPU driver and keep the system's security baseline up to date.

Generated by OpenCVE AI on April 16, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Wed, 11 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 10 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description In vpu_open_inst of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-03-12T03:55:27.060Z

Reserved: 2025-10-23T08:43:06.676Z

Link: CVE-2026-0112

cve-icon Vulnrichment

Updated: 2026-03-11T14:42:08.129Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:44.650

Modified: 2026-03-11T17:14:01.900

Link: CVE-2026-0112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses