CVE-2026-0142 Overview
CVE-2026-0142 is an out-of-bounds read vulnerability in the iavb_parse_key_data function of avb_rsa.c in Google Android. The flaw stems from improper input validation when parsing RSA key data structures used by Android Verified Boot (AVB). A local attacker with low privileges can trigger the condition without user interaction. Successful exploitation leads to local information disclosure from adjacent memory regions. Google addressed the issue in the June 2026 Android Security Bulletin.
Critical Impact
Local attackers with low privileges can read out-of-bounds memory in the AVB RSA parser, exposing process memory contents without requiring user interaction or additional execution privileges.
Affected Products
- Google Android (see Android Security Bulletin June 2026 for affected builds)
- Android Verified Boot (AVB) component avb_rsa.c
- Pixel devices receiving the June 2026 security patch level
Discovery Timeline
- 2026-06-16 - CVE-2026-0142 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0142
Vulnerability Analysis
The vulnerability resides in iavb_parse_key_data, a function in avb_rsa.c responsible for parsing RSA public key blobs used by Android Verified Boot. The parser fails to properly validate input length fields against the actual buffer size before reading key material. This mismatch allows reads to extend past the allocated buffer boundary. The result is disclosure of adjacent heap or stack memory contents to the calling context. Because AVB is invoked early and across privileged code paths, the leaked bytes may contain sensitive runtime data. The issue is classified under [CWE-20] Improper Input Validation.
Root Cause
The root cause is missing or insufficient bounds checking on length fields embedded in the RSA key data structure. The iavb_parse_key_data routine trusts attacker-influenced size metadata when iterating over key components such as the modulus or exponent. When the supplied length exceeds the available buffer, the function reads past the end of the allocation. No memory safety primitive intercepts the access, so the read returns whatever resides in the next memory region.
Attack Vector
Exploitation requires local access with low privileges on the device. An attacker supplies a crafted RSA key blob to a code path that invokes iavb_parse_key_data. Parsing the malformed structure triggers the out-of-bounds read and returns leaked bytes through observable side effects or error handling paths. User interaction is not required. The vulnerability does not by itself grant code execution or modify integrity, but the leaked data can be chained with other flaws to defeat address space layout randomization or recover secrets.
No verified public exploit code is available. See the Android Security Bulletin June 2026 for technical references.
Detection Methods for CVE-2026-0142
Indicators of Compromise
- Anomalous calls to AVB verification routines from non-boot contexts or unprivileged processes.
- Crash logs or logcat entries referencing avb_rsa.c or iavb_parse_key_data with malformed key data.
- Unexpected RSA key blobs delivered through local IPC, partitions, or update payloads on the device.
Detection Strategies
- Audit device builds against the June 2026 Android security patch level to identify unpatched fleets.
- Monitor mobile telemetry for processes invoking AVB key parsing outside of normal boot or update workflows.
- Inspect side-loaded packages and OTA payloads for RSA key structures with inconsistent length fields.
Monitoring Recommendations
- Forward mobile device logs and crash reports to a centralized analytics pipeline for review of AVB-related faults.
- Track Android security patch level (ro.build.version.security_patch) across managed devices and flag values older than 2026-06-01.
- Alert on repeated parser failures in boot or verification components, which can indicate exploitation attempts.
How to Mitigate CVE-2026-0142
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) to all Pixel and supported Android devices.
- Enforce a mobile device management policy that blocks devices below the patched security patch level from accessing sensitive resources.
- Restrict installation of untrusted applications and side-loaded packages that could deliver crafted key data.
Patch Information
Google published the fix in the Android Security Bulletin June 2026. Device vendors integrate the patch through their monthly security update channels. Confirm that the device reports a security patch level of 2026-06-01 or later after the update.
Workarounds
- No vendor-supplied workaround exists. Patching is the supported remediation path.
- Limit local access to the device by enforcing strong screen locks and disabling developer options and ADB on production fleets.
- Reduce attack surface by removing unused applications that could be leveraged to reach the vulnerable parser.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 (or later) once CVE-2026-0142 is remediated
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

