Impact
The flaw is located in the EdgeTPU driver within edgetpu_sync_fence_group_shutdown() of edgetpu-dmabuf.c. A use‑after‑free condition permits a local attacker to escalate privilege and gain System execution rights. The vulnerability is designated as CWE‑416 and does not require user interaction.
Affected Systems
Google Android devices that utilize the EdgeTPU driver, including Pixel smartphones and tablets running the current Android OS without a patched driver, are affected. Specific OS or hardware versions are not disclosed, so any device dependent on the unpatched edgetpu-dmabuf.c code is at risk.
Risk and Exploitability
The CVSS score of 7.8 signifies high severity; however, the EPSS score is below 1 %, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Despite the low exploitation likelihood, the attack can occur locally and without user interaction, making it a credible threat when a device runs a vulnerable EdgeTPU driver.
OpenCVE Enrichment