Skip to main content
CVE Vulnerability Database

CVE-2026-0150: Google Android Privilege Escalation Flaw

CVE-2026-0150 is a privilege escalation vulnerability in Google Android's EdgeTPU firmware caused by an integer overflow leading to out of bounds write. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-0150 Overview

CVE-2026-0150 is an integer overflow vulnerability [CWE-190] in the ExecuteGraph command handler of the EdgeTPU firmware shipped with Google Android. The flaw allows a local attacker with low privileges to trigger an out-of-bounds write, leading to local privilege escalation up to root. Exploitation requires no user interaction. Google addressed the issue in the Android Security Bulletin June 2026.

Critical Impact

A successful exploit grants root-level code execution on affected Android devices through a local attack against the EdgeTPU firmware command path.

Affected Products

  • Google Android (Pixel devices with EdgeTPU firmware)
  • Devices receiving the 2026-06-01 Pixel security patch level
  • Android builds prior to the June 2026 Pixel security update

Discovery Timeline

  • 2026-06-16 - CVE-2026-0150 published to NVD
  • 2026-06-01 - Google releases security patch in the Pixel security bulletin
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0150

Vulnerability Analysis

The vulnerability resides in the ExecuteGraph command handler within the EdgeTPU firmware. EdgeTPU is Google's machine learning accelerator integrated into Pixel devices, and its firmware processes graph execution requests submitted from the application processor. The handler performs arithmetic on attacker-influenced size or length fields without validating the result. When the arithmetic wraps around the integer storage limit, the firmware allocates or indexes a buffer smaller than the data subsequently written.

The resulting out-of-bounds write occurs in firmware memory, which executes with higher privileges than the calling user-space process. By shaping the overflowed write, an attacker corrupts adjacent structures and steers execution to escalate from a local low-privileged context to root. No user interaction is required, and the attack is local: the adversary must already be running code on the device, for example through a malicious application.

Root Cause

The root cause is an unchecked integer overflow [CWE-190] in length or size calculations inside the ExecuteGraph command handler. The firmware trusts attacker-controlled values that flow into buffer sizing math, producing a truncated allocation while the subsequent copy uses the original, larger length.

Attack Vector

A local attacker delivers a crafted ExecuteGraph command to the EdgeTPU firmware through the standard kernel driver interface exposed to user space. The malformed graph descriptor contains size fields chosen to trigger the wrap. The firmware writes past the intended buffer boundary, corrupting firmware state and enabling privilege escalation to root on the host.

No verified proof-of-concept code is publicly available. Refer to the Android Security Bulletin June 2026 for vendor technical details.

Detection Methods for CVE-2026-0150

Indicators of Compromise

  • Unexpected EdgeTPU driver crashes, watchdog resets, or firmware panics recorded in dmesg or logcat
  • Untrusted applications interacting with the EdgeTPU device node without a legitimate machine learning workload
  • Anomalous root-privileged processes spawned shortly after EdgeTPU activity

Detection Strategies

  • Monitor kernel logs for repeated EdgeTPU firmware faults or graph execution errors that may indicate exploitation attempts.
  • Inventory installed applications and flag those requesting access to neural accelerator APIs without a documented use case.
  • Validate device patch levels against the 2026-06-01 Pixel security patch level via mobile device management (MDM) telemetry.

Monitoring Recommendations

  • Collect Android logcat and kernel ring-buffer data centrally to identify EdgeTPU subsystem instability across the fleet.
  • Track Pixel security patch level compliance and alert on devices remaining on pre-June 2026 builds.
  • Enable Google Play Protect and review sideloading events on managed devices.

How to Mitigate CVE-2026-0150

Immediate Actions Required

  • Apply the 2026-06-01 Pixel security patch level or later to all affected Android devices.
  • Enforce minimum patch level policies through MDM to block non-compliant devices from corporate resources.
  • Restrict installation of untrusted applications, since exploitation requires local code execution on the device.

Patch Information

Google published the fix in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later contain the corrected EdgeTPU firmware. Pixel users should verify the patch level under Settings → About phone → Android version.

Workarounds

  • No vendor-supplied workaround exists; applying the firmware update is the supported remediation.
  • Limit exposure by removing unused or untrusted applications that could provide a local execution foothold.
  • Use Google Play Protect and enterprise app vetting to reduce the likelihood of malicious local code reaching the EdgeTPU interface.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.