Description
In multiple functions of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in several functions within vpu_ioctl.c where a race condition can cause a use‑after‑free scenario. When the race occurs, an attacker can manipulate the freed memory to execute malicious code within the context of the current user, thereby gaining elevated privileges on the device. This flaw requires no user interaction and does not provide additional execution privileges beyond the local user who triggers it.

Affected Systems

Affected systems are devices running Google Android that include the vulnerable vpu_ioctl component. No specific Android releases are listed in the data; the issue applies to all releases that contain the unpatched code referenced in the Google Pixel 2026 security bulletin.

Risk and Exploitability

The CVSS score of 7 indicates a moderate‑to‑high severity. The EPSS score of less than 1% shows that the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog, so no confirmed exploitation is known. Because exploitation is local and does not require user interaction, the attack vector is inferred to be local command execution that triggers the race condition on the affected device.

Generated by OpenCVE AI on June 17, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Android update detailed in the Google Pixel 2026 security bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01, which addresses the use‑after‑free in vpu_ioctl.c.
  • If the patch is not yet available, limit access to the VPU ioctl interface by enforcing SELinux policies or adjusting the driver permissions so that only the system process can invoke it.
  • Ensure that any third‑party applications that interact with the VPU driver are updated or disabled until the patch is applied.

Generated by OpenCVE AI on June 17, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Use‑After‑Free in vpu ioctl

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In multiple functions of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-17T03:56:24.434Z

Reserved: 2025-10-23T08:43:25.150Z

Link: CVE-2026-0125

cve-icon Vulnrichment

Updated: 2026-06-16T20:38:50.346Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:23.430

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:15:10Z

Weaknesses