Description
In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability resides in the smmu_attach_dev function of arm-smmu-v3.c and allows an attacker to sign malicious Android Runtime bootclass artifacts without the required permission check. The lack of authorization enables a local escalation of privilege; once the artifacts are signed, an attacker can execute code with higher privileges than originally granted. No additional execution privileges are needed and no user interaction is required, meaning the flaw can be abused by any local user with sufficient access to the device environment.

Affected Systems

The flaw affects Google Android systems, as noted by the manufacturer’s security bulletin for Pixel devices. No specific Android version numbers are provided in the advisory, so the risk applies to any affected build until the vendor releases a patch.

Risk and Exploitability

The CVSS score of 7.8 classifies this issue as high severity. The EPSS figure of less than 1% indicates that widespread exploitation has not been observed, yet the flaw remains available for local attackers. Because the access or user interaction, an adversary with physical possession or remote local access to a device can directly sign unauthorized artifacts and gain elevated privileges. The issue is not listed in the CISA KEV catalog, implying it has not yet been confirmed as exploited in the wild, but its high impact warrants immediate attention.

Generated by OpenCVE AI on June 17, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android security patch referenced in the Google security bulletin for the smmu_attach_dev issue as soon as it becomes available.
  • Configure device management policies to restrict which users or applications can sign bootclass artifacts, ensuring only accounts with explicit permission can perform signing operations.
  • Enable automated logging and monitoring for events related to bootclass artifact signing, and investigate any unauthorized attempts promptly.

Generated by OpenCVE AI on June 17, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Unauthorized Android Runtime Artifact Signing

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-17T03:56:29.978Z

Reserved: 2025-10-23T08:43:35.898Z

Link: CVE-2026-0133

cve-icon Vulnrichment

Updated: 2026-06-16T20:58:12.817Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:24.170

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:15:10Z

Weaknesses