CVE-2026-0143 Overview
CVE-2026-0143 is a use-after-free vulnerability [CWE-416] in the lwis_device_external_event_emit function of lwis_event.c within the Google Android Lightweight Imaging Sensor (LWIS) driver. The flaw allows local memory corruption that an attacker can leverage to achieve privilege escalation to System execution context. Exploitation requires no user interaction. Google addressed the issue in the June 2026 Android Security Bulletin.
Critical Impact
A local attacker holding low privileges can corrupt kernel memory through the LWIS driver and escalate to System privileges without any user interaction.
Affected Products
- Google Android (Pixel devices, per the June 2026 Pixel Update Bulletin)
- Android builds incorporating the vulnerable lwis_event.c component
- Devices using the LWIS camera/imaging subsystem driver
Discovery Timeline
- 2026-06-16 - CVE-2026-0143 published to NVD
- 2026-06-17 - Last updated in NVD database
- 2026-06-01 - Addressed in the Android Security Bulletin June 2026
Technical Details for CVE-2026-0143
Vulnerability Analysis
The vulnerability resides in lwis_device_external_event_emit, a function within the LWIS (Lightweight Imaging Sensor) driver responsible for dispatching external events between imaging devices and userspace consumers. The function operates on event objects whose lifetime is governed by reference counting and subscription state. A use-after-free condition arises when the function accesses an event or subscriber structure after it has been released, enabling controlled memory corruption inside kernel address space.
Because the LWIS driver runs in kernel context and is reachable from userspace through device file operations, an attacker with local code execution can trigger the dangling reference and influence subsequent allocations. Successful exploitation leads to arbitrary kernel memory write primitives and elevation to the System user, which holds broad device-management privileges on Android.
Root Cause
The root cause is improper object lifetime management within the event emission path. The driver dereferences a pointer to an external event or its associated subscriber after a concurrent or sequential code path has freed the underlying allocation, classifying the defect as CWE-416 (Use After Free).
Attack Vector
The attack vector is local. An unprivileged or low-privileged application on the device interacts with the LWIS device node through ioctl and event subscription interfaces, then races or sequences operations to free an event object while another path still references it. No user interaction is required beyond installing or running the malicious application.
Verified exploit code for CVE-2026-0143 is not publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score at publication was 0.073%.
Detection Methods for CVE-2026-0143
Indicators of Compromise
- Unexpected kernel oops, panics, or KASAN reports referencing lwis_device_external_event_emit or lwis_event.c in dmesg and logcat.
- Untrusted or sideloaded applications opening /dev/lwis* device nodes and issuing event-related ioctl calls in rapid succession.
- Processes transitioning to the system UID without an expected service launch path in audit logs.
Detection Strategies
- Monitor Android kernel logs for use-after-free signatures, including KASAN slab-use-after-free traces involving the LWIS subsystem.
- Track applications that access camera/imaging device nodes outside of standard CameraService brokered flows.
- Correlate process crashes in media or camera helper processes with subsequent privilege changes on the device.
Monitoring Recommendations
- Ingest Android device telemetry, including logcat, kernel ring buffer output, and SELinux denials, into a centralized logging platform for anomaly review.
- Alert on installations of unsigned or sideloaded APKs on managed devices and on ioctl patterns targeting LWIS endpoints.
- Track patch level (ro.build.version.security_patch) across the device fleet to identify hosts still below the 2026-06-01 patch level.
How to Mitigate CVE-2026-0143
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) on all affected Pixel and Android devices.
- Enforce mobile device management policies that block installation of untrusted applications from outside vetted app stores.
- Audit installed applications for unnecessary access to camera and imaging subsystems and remove unused ones.
Patch Information
Google published the fix in the Android Security Bulletin June 2026. Device vendors integrate the corresponding AOSP patch into their monthly security updates. Confirm the device reports a security patch level of 2026-06-01 or later after updating.
Workarounds
- No vendor-supplied workaround exists; patching is the only complete remediation.
- Restrict device enrollment to builds at or above the June 2026 patch level using conditional access or MDM compliance policies.
- Disable or restrict third-party application installation on high-risk devices until the update is deployed.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

