Skip to main content
CVE Vulnerability Database

CVE-2026-0134: Google Android Information Disclosure Flaw

CVE-2026-0134 is an information disclosure vulnerability in Google Android affecting the factory reset process. A logic error in recovery_ui.cpp allows data to persist after wiping, enabling local disclosure without privileges.

Published:

CVE-2026-0134 Overview

CVE-2026-0134 is a local information disclosure vulnerability in Google Android. The flaw resides in the PostWipeData function of recovery_ui.cpp, where a logic error causes data to persist after a factory reset operation. An attacker with local access can recover information that users expect to be erased during the device wipe process.

Exploitation requires no user interaction and no elevated privileges beyond standard local access. The issue is classified under CWE-1188, Insecure Default Initialization of Resource.

Critical Impact

Sensitive user data may remain on the device following a factory reset, exposing residual information to subsequent device owners or attackers with local access.

Affected Products

  • Google Android (see Android June 2026 Security Bulletin for affected versions)
  • Google Pixel devices running affected Android builds
  • Android Open Source Project (AOSP) recovery_ui component

Discovery Timeline

  • 2026-06-16 - CVE-2026-0134 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0134

Vulnerability Analysis

The vulnerability exists in the PostWipeData routine of recovery_ui.cpp, a component of Android's recovery subsystem responsible for finalizing factory reset operations. A logic error in this function causes certain data structures or storage regions to remain populated after the wipe sequence completes.

Factory reset functionality is a foundational security control on mobile devices. Users rely on it to erase personal data before selling, returning, or repurposing a device. When the wipe routine fails to clear all expected data, residual information remains accessible to the next user of the device or to an attacker who acquires physical access.

The flaw is categorized as CWE-1188, reflecting improper initialization of resources during the post-wipe phase.

Root Cause

The root cause is a logic error in the PostWipeData function. The implementation does not correctly clear or reinitialize all data regions that should be sanitized as part of the factory reset workflow. As a result, the wipe operation completes successfully from the user's perspective while leaving residual data behind.

Attack Vector

The attack vector is local. An adversary with physical or local access to a device that has undergone a factory reset can read residual data left on the device by the flawed wipe routine. No user interaction is required, and the attacker only needs low-level privileges to access the remaining data.

Further technical details are documented in the Android June 2026 Security Bulletin.

Detection Methods for CVE-2026-0134

Indicators of Compromise

  • Presence of user data, application state, or account artifacts on a device that has been factory reset
  • Unexpected files or partitions populated after invoking the recovery wipe routine
  • Android build fingerprints predating the June 2026 security patch level

Detection Strategies

  • Audit device Android security patch levels and flag devices below the 2026-06-01 patch level
  • After factory reset, validate that user data partitions and recovery-managed storage regions are empty
  • Include post-wipe verification in device decommissioning workflows for enterprise-managed fleets

Monitoring Recommendations

  • Enroll devices in Mobile Device Management (MDM) and track security patch compliance against the June 2026 Android bulletin
  • Establish a documented decommissioning procedure that verifies data residue is absent before redistributing devices
  • Monitor vendor advisories from Google and OEMs for downstream patch availability

How to Mitigate CVE-2026-0134

Immediate Actions Required

  • Apply the Android security patch level 2026-06-01 or later as soon as it is available for the affected device model
  • For devices that cannot be patched, avoid relying on factory reset alone to sanitize the device before transfer or disposal
  • Use full-disk encryption with a strong passphrase, then perform the factory reset, so any residual data remains encrypted

Patch Information

Google addressed CVE-2026-0134 in the June 2026 Android Security Bulletin. Device owners should install updates as released by Google for Pixel devices and by their respective OEMs for other Android handsets. Refer to the Android June 2026 Security Bulletin for the authoritative list of affected builds and fix availability.

Workarounds

  • Encrypt the device with a strong, unique passphrase before performing a factory reset so residual data is unreadable without the key
  • For high-assurance decommissioning, perform multiple factory resets and overwrite storage with non-sensitive data between resets
  • Where possible, use OEM or enterprise-grade secure-erase tooling rather than relying solely on the in-OS factory reset

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.