Description
In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-10
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

A race condition in the Video Processing Unit causes a use‑after‑free read, allowing local data to be leaked. The flaw can be triggered without any additional privilege or malicious code execution. The vulnerability is classified under CWE‑362 (Race Condition) and CWE‑416 (Use After Free).

Affected Systems

The affected product is Google Android. Specific version information is not provided, so any supported Android release that contains the VPU implementation may be impacted until a patch is released.

Risk and Exploitability

The CVSS score is 2.9, indicating low severity, and the EPSS score is less than 1%, showing a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The attack can occur locally, without user interaction, and requires no elevated execution privileges.

Generated by OpenCVE AI on April 16, 2026 at 03:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Android security patch once it is available from Google.
  • Verify that the device firmware is updated to the latest supported Android build that includes the VPU fix.
  • Monitor Google Android security bulletins and revoke any untrusted applications that may leverage the VPU path until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 03:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Race Condition in Android VPU Leading to Local Information Disclosure

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 10 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-03-17T20:50:55.253Z

Reserved: 2025-10-23T08:43:19.699Z

Link: CVE-2026-0121

cve-icon Vulnrichment

Updated: 2026-03-10T21:12:12.557Z

cve-icon NVD

Status : Modified

Published: 2026-03-10T21:16:45.580

Modified: 2026-03-17T21:16:18.987

Link: CVE-2026-0121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses