Description
In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow in the ExecuteGraph command handler of EdgeTPU firmware can result in an out‑of‑bounds write that elevates a local process to root privileges. The exploit does not require any user interaction or special conditions beyond the ability to issue the ExecuteGraph command, which means that any malicious application or code running on the device could potentially trigger it.

Affected Systems

All Google Android devices that include EdgeTPU firmware. No specific model or firmware version is listed, so the vulnerability may affect current and future EdgeTPU releases until the issue is patched.

Risk and Exploitability

The scoring reflects a high severity with a CVSS score of 7.8 and a very low EPSS of less than 1 %. The vulnerability is not yet listed in CISA's KEV catalog. Because the flaw allows an out‑of‑bounds write that results in privilege escalation, an attacker with local code execution can gain root authority without needing to interact with a user interface. The lack of user interaction and the local nature of the flaw mean that any privileged permissions granted to applications that can communicate with the EdgeTPU firmware could be abused to carry out the exploit.

Generated by OpenCVE AI on June 17, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Android OS and associated EdgeTPU firmware to the latest vendor‑supplied version that contains the integer‑overflow fix.
  • If a patch is not yet available, apply device‑level restrictions that prevent ordinary applications from accessing the EdgeTPU ExecuteGraph interface, such as enforcing SELinux rules or disabling the EdgeTPU service via device policy.
  • Monitor installed applications for use of EdgeTPU APIs and revoke or limit permissions for any app that appears to issue ExecuteGraph commands without a legitimate reason.
  • Validate that the device is running SELinux in enforcing mode to contain any accidental privilege escalation attempts.

Generated by OpenCVE AI on June 17, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in EdgeTPU Firmware Enables Local Privilege Escalation

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-17T03:56:13.449Z

Reserved: 2025-10-23T08:43:58.901Z

Link: CVE-2026-0150

cve-icon Vulnrichment

Updated: 2026-06-16T20:01:33.702Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:25.707

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:15:10Z

Weaknesses