CVE-2026-0137 Overview
CVE-2026-0137 is a use-after-free vulnerability [CWE-416] in the edgetpu_sync_fence_group_shutdown() function within edgetpu-dmabuf.c, a component of the Edge TPU driver shipped with Google Android. A local attacker with low privileges can trigger the freed memory reference to achieve elevation of privilege with System execution rights. The flaw does not require user interaction and was disclosed in the June 2026 Android Security Bulletin for Pixel devices.
Critical Impact
Successful exploitation grants System-level execution privileges on affected Android devices, allowing an attacker to bypass the Android sandbox and compromise device confidentiality, integrity, and availability.
Affected Products
- Google Android (Pixel devices using the Edge TPU driver)
- Devices shipping the vulnerable edgetpu-dmabuf.c kernel component
- Android builds prior to the June 2026 Pixel security patch level
Discovery Timeline
- 2026-06-16 - CVE-2026-0137 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
- 2026-06-01 - Addressed in the Android Security Bulletin June 2026
Technical Details for CVE-2026-0137
Vulnerability Analysis
The vulnerability resides in the Edge TPU (Tensor Processing Unit) DMA-BUF subsystem, which manages buffer sharing between the kernel and the on-device machine learning accelerator. The edgetpu_sync_fence_group_shutdown() function dereferences a memory object after it has already been freed. An attacker running an unprivileged local process can race or manipulate fence group teardown to access dangling memory. Because the Edge TPU driver runs inside the kernel, exploitation yields System privileges, sufficient to disable security controls and read or modify protected data on the device.
Root Cause
The root cause is improper lifetime management of sync fence group objects within the Edge TPU DMA-BUF code path. When edgetpu_sync_fence_group_shutdown() executes, it operates on a structure whose backing allocation has already been released by a concurrent or prior code path. The absence of correct reference counting or synchronization around the fence group permits subsequent use of freed memory [CWE-416].
Attack Vector
The attack vector is local. An adversary must have code execution on the device, typically via a malicious application or a compromised process. No user interaction is required. Exploitation involves invoking driver ioctls or interfaces that interact with Edge TPU DMA-BUF sync fence groups in a sequence that triggers the use-after-free condition, then leveraging the dangling pointer to corrupt kernel memory and elevate privileges. Specific exploitation details are not published in the public advisory.
Detection Methods for CVE-2026-0137
Indicators of Compromise
- Unexpected kernel crashes or panics referencing edgetpu_sync_fence_group_shutdown or the edgetpu-dmabuf module
- Untrusted applications repeatedly opening Edge TPU device nodes such as /dev/edgetpu and issuing fence-related ioctls
- Processes transitioning to the system UID without a legitimate Android service launch path
Detection Strategies
- Monitor kernel logs (logcat -b kernel, dmesg) for KASAN or use-after-free reports involving the Edge TPU driver
- Audit installed applications that request access to TPU or DMA-BUF device interfaces without a clear ML workload justification
- Use Android Verified Boot and Play Protect telemetry to identify devices missing the June 2026 patch level
Monitoring Recommendations
- Enforce a minimum security patch level via Mobile Device Management (MDM) and flag devices reporting a ro.build.version.security_patch earlier than 2026-06-01
- Centralize crash and tombstone collection from managed Pixel devices for review against driver-related signatures
- Track sideloaded applications and restrict installation sources on enterprise-managed handsets
How to Mitigate CVE-2026-0137
Immediate Actions Required
- Apply the June 2026 Pixel security patch (security patch level 2026-06-01 or later) on all affected devices
- Restrict installation of untrusted applications and require Google Play Protect to remain enabled
- Inventory Pixel and Android devices in the environment and prioritize patching for those exposing the Edge TPU driver
Patch Information
Google released a fix for CVE-2026-0137 in the Android Security Bulletin June 2026 for Pixel devices. Administrators should ensure devices report a security patch level of 2026-06-01 or later. Refer to the bulletin for the exact source commit and supported device list.
Workarounds
- No vendor-supplied workaround exists; patching is the only supported remediation
- Limit exposure by preventing installation of untrusted third-party applications on at-risk devices
- Decommission or isolate devices that cannot receive the June 2026 update from sensitive workloads
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

