Description
In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in intfgraph.c’s IntfGraphCreate function allows an out‑of‑bounds write caused by an integer overflow. This flaw can be exploited to execute arbitrary code without requiring elevated privileges, and it does not need the user to interact with the device. The weakness is classified as integer overflow (CWE‑190) and a buffer overrun (CWE‑787).

Affected Systems

Android devices from Google are affected; the specific components are the kernel module performed by intfgraph.c. No version numbers are listed, so any device that still ships the unpatched code is vulnerable.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the field, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remote depending on whether an attacker can deliver crafted data to the IntfGraphCreate routine; user interaction is not required. Additional privileges are not needed to execute the payload once the overflow occurs.

Generated by OpenCVE AI on June 17, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Android to the latest available version that contains the intfgraph.c patch.
  • If the device is no longer supported, apply any vendor‑supplied security updates or patches that address the integer overflow.
  • If an immediate patch is not possible, lock down the vulnerable module by limiting untrusted input and enforcing SELinux policies that prevent arbitrary code execution.
  • Monitor kernel activity for anomalous writes or privilege escalations, and apply general kernel hardening measures including bounds checks and input validation.

Generated by OpenCVE AI on June 17, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in Android IntfGraphCreate Leading to Remote Code Execution

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-17T03:56:12.373Z

Reserved: 2025-10-23T08:44:00.676Z

Link: CVE-2026-0151

cve-icon Vulnrichment

Updated: 2026-06-16T20:00:21.999Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:25.793

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:45:10Z

Weaknesses