CVE-2026-0133 Overview
CVE-2026-0133 is a local privilege escalation vulnerability in the Android kernel's ARM System Memory Management Unit version 3 (SMMU-v3) driver. The flaw exists in the smmu_attach_dev function within arm-smmu-v3.c, where a required permission check is missing. An attacker with local, low-privileged access can exploit this missing authorization control to sign malicious Android Runtime (ART) bootclass artifacts. Successful exploitation grants elevated privileges without any additional execution rights and requires no user interaction. The issue is tracked under CWE-862: Missing Authorization and impacts Google Android devices addressed in the Android Security Bulletin June 2026.
Critical Impact
A local attacker can elevate privileges and sign malicious ART bootclass artifacts without user interaction, compromising the integrity of the Android runtime trust chain.
Affected Products
- Google Android (Pixel devices addressed in the June 2026 bulletin)
- Devices using the ARM SMMU-v3 kernel driver (arm-smmu-v3.c)
- Android builds shipped prior to the June 2026 security patch level
Discovery Timeline
- 2026-06-16 - CVE-2026-0133 published to the National Vulnerability Database
- 2026-06-01 - Google publishes fix in the Android Security Bulletin (June 2026)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0133
Vulnerability Analysis
The vulnerability resides in smmu_attach_dev, the function responsible for attaching a device to an ARM SMMU-v3 stream and binding it to an I/O page table. The function fails to enforce a permission check before completing the attachment operation. As a result, a local caller can reach a code path that should be restricted to privileged contexts. The attacker leverages this oversight to manipulate trust boundaries around the Android Runtime, ultimately reaching a state where malicious bootclass artifacts can be signed and treated as legitimate by the runtime loader.
Root Cause
The root cause is a missing authorization check [CWE-862] on a sensitive kernel operation. smmu_attach_dev accepts attachment requests without validating whether the caller holds the rights necessary to influence the resulting DMA and memory translation context. This authorization gap creates a path from unprivileged local code to operations that affect kernel-managed memory mappings and, by extension, signed-artifact integrity in ART.
Attack Vector
Exploitation requires local access and low privileges on the device. The attacker invokes the vulnerable kernel path from a user-context process without triggering any user-facing prompts. Because user interaction is not required and the scope is unchanged, malware already running on the device, such as a sideloaded application abusing exposed interfaces, can execute the chain silently. The end state allows the attacker to sign malicious ART bootclass artifacts, which compromises the integrity of the runtime loaded across applications.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical exploitation details are described in the Android Security Bulletin June 2026.
Detection Methods for CVE-2026-0133
Indicators of Compromise
- Unexpected modifications to ART bootclass artifacts or boot-*.art files under /data/dalvik-cache/ or /system/framework/
- Unsigned or improperly signed processes launching with elevated privileges following local app activity
- Anomalous kernel log entries referencing arm-smmu-v3 device attachments initiated by non-system UIDs
Detection Strategies
- Monitor Android security patch levels and flag devices reporting a patch level earlier than 2026-06-01
- Inspect integrity of ART bootclass artifacts using device attestation services such as Play Integrity API
- Alert on local processes attempting to interact with SMMU-related sysfs or device nodes outside expected system services
Monitoring Recommendations
- Centralize Android device telemetry, including patch level and integrity attestation, in a mobile threat defense or unified endpoint management platform
- Track installation of sideloaded applications and correlate with abnormal privilege transitions on the device
- Review enterprise application logs for runtime tampering signals reported by ART or SafetyNet/Play Integrity checks
How to Mitigate CVE-2026-0133
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) to all Pixel and supported Android devices
- Enforce a minimum patch level policy through enterprise mobility management to block non-compliant devices from corporate resources
- Restrict sideloading of applications from untrusted sources on managed devices
Patch Information
Google addressed CVE-2026-0133 in the Android Security Bulletin June 2026. The fix adds the missing permission check in smmu_attach_dev within arm-smmu-v3.c, ensuring the function rejects requests from callers lacking the required privilege. Device manufacturers must integrate the patch into their respective Android builds and ship the update through their over-the-air channels.
Workarounds
- No vendor-supplied workaround exists; applying the security update is the only supported remediation
- Limit physical and local access to devices that cannot yet receive the June 2026 patch
- Use Play Integrity API attestation to gate access to sensitive enterprise applications until devices are patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

