Description
In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a logic error in the PostWipeData function defined in recovery_ui.cpp whereby data intended to be erased during a factory reset remains accessible. This flaw permits local information disclosure without granting extra privileges or requiring the user to take any action. Because the defect affects only information that resides on the device, the impact is confined to confidentiality at the local level.

Affected Systems

Affected systems include devices running Google Android, particularly those using the recovery_ui component at the time of the factory reset. The the reference points to Pixel devices in Google’s Android security bulletin. No version range is stated, so any device that incorporates the vulnerable code segment may be at risk.

Risk and Exploitability

The CVSS score of 3.3 indicates a low severity rating, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog, meaning no known large‑scale exploits have been reported. Nevertheless, because the attack does not require user interaction or elevated privileges, any compromised device could leak private data during a factory reset.

Generated by OpenCVE AI on June 17, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch that fixes the recovery_ui component.
  • If an update is unavailable, perform a clean factory reset manually after verifying that no peripherals or external media remain connected to the device.
  • Use Google’s official recovery mode to confirm that all onboard storage is fully erased after the reset.

Generated by OpenCVE AI on June 17, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Data Persistence Issue Leading to Local Information Disclosure After Factory Reset in Android Recovery UI

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1188
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-16T20:51:12.261Z

Reserved: 2025-10-23T08:43:37.055Z

Link: CVE-2026-0134

cve-icon Vulnrichment

Updated: 2026-06-16T20:50:36.838Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:24.260

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T20:45:03Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default