Skip to main content
CVE Vulnerability Database

CVE-2026-0137: Google Android Privilege Escalation Flaw

CVE-2026-0137 is a privilege escalation vulnerability in Google Android caused by a use-after-free flaw in edgetpu-dmabuf.c. Attackers with system privileges can exploit this to gain elevated access. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0137 Overview

CVE-2026-0137 is a use-after-free vulnerability [CWE-416] in the edgetpu_sync_fence_group_shutdown() function within edgetpu-dmabuf.c, a component of the Edge TPU driver shipped with Google Android. A local attacker with low privileges can trigger the freed memory reference to achieve elevation of privilege with System execution rights. The flaw does not require user interaction and was disclosed in the June 2026 Android Security Bulletin for Pixel devices.

Critical Impact

Successful exploitation grants System-level execution privileges on affected Android devices, allowing an attacker to bypass the Android sandbox and compromise device confidentiality, integrity, and availability.

Affected Products

  • Google Android (Pixel devices using the Edge TPU driver)
  • Devices shipping the vulnerable edgetpu-dmabuf.c kernel component
  • Android builds prior to the June 2026 Pixel security patch level

Discovery Timeline

  • 2026-06-16 - CVE-2026-0137 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database
  • 2026-06-01 - Addressed in the Android Security Bulletin June 2026

Technical Details for CVE-2026-0137

Vulnerability Analysis

The vulnerability resides in the Edge TPU (Tensor Processing Unit) DMA-BUF subsystem, which manages buffer sharing between the kernel and the on-device machine learning accelerator. The edgetpu_sync_fence_group_shutdown() function dereferences a memory object after it has already been freed. An attacker running an unprivileged local process can race or manipulate fence group teardown to access dangling memory. Because the Edge TPU driver runs inside the kernel, exploitation yields System privileges, sufficient to disable security controls and read or modify protected data on the device.

Root Cause

The root cause is improper lifetime management of sync fence group objects within the Edge TPU DMA-BUF code path. When edgetpu_sync_fence_group_shutdown() executes, it operates on a structure whose backing allocation has already been released by a concurrent or prior code path. The absence of correct reference counting or synchronization around the fence group permits subsequent use of freed memory [CWE-416].

Attack Vector

The attack vector is local. An adversary must have code execution on the device, typically via a malicious application or a compromised process. No user interaction is required. Exploitation involves invoking driver ioctls or interfaces that interact with Edge TPU DMA-BUF sync fence groups in a sequence that triggers the use-after-free condition, then leveraging the dangling pointer to corrupt kernel memory and elevate privileges. Specific exploitation details are not published in the public advisory.

Detection Methods for CVE-2026-0137

Indicators of Compromise

  • Unexpected kernel crashes or panics referencing edgetpu_sync_fence_group_shutdown or the edgetpu-dmabuf module
  • Untrusted applications repeatedly opening Edge TPU device nodes such as /dev/edgetpu and issuing fence-related ioctls
  • Processes transitioning to the system UID without a legitimate Android service launch path

Detection Strategies

  • Monitor kernel logs (logcat -b kernel, dmesg) for KASAN or use-after-free reports involving the Edge TPU driver
  • Audit installed applications that request access to TPU or DMA-BUF device interfaces without a clear ML workload justification
  • Use Android Verified Boot and Play Protect telemetry to identify devices missing the June 2026 patch level

Monitoring Recommendations

  • Enforce a minimum security patch level via Mobile Device Management (MDM) and flag devices reporting a ro.build.version.security_patch earlier than 2026-06-01
  • Centralize crash and tombstone collection from managed Pixel devices for review against driver-related signatures
  • Track sideloaded applications and restrict installation sources on enterprise-managed handsets

How to Mitigate CVE-2026-0137

Immediate Actions Required

  • Apply the June 2026 Pixel security patch (security patch level 2026-06-01 or later) on all affected devices
  • Restrict installation of untrusted applications and require Google Play Protect to remain enabled
  • Inventory Pixel and Android devices in the environment and prioritize patching for those exposing the Edge TPU driver

Patch Information

Google released a fix for CVE-2026-0137 in the Android Security Bulletin June 2026 for Pixel devices. Administrators should ensure devices report a security patch level of 2026-06-01 or later. Refer to the bulletin for the exact source commit and supported device list.

Workarounds

  • No vendor-supplied workaround exists; patching is the only supported remediation
  • Limit exposure by preventing installation of untrusted third-party applications on at-risk devices
  • Decommission or isolate devices that cannot receive the June 2026 update from sensitive workloads

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.