CVE-2026-0152 Overview
CVE-2026-0152 is a local privilege escalation vulnerability in the Android kernel. The flaw resides in the OSMMapPMRGeneric function within pmr_os.c, a component of the PowerVR graphics driver memory management subsystem. A logic error allows a local attacker to leverage a system call to expand a Virtual Memory Area (VMA) beyond its intended bounds. Successful exploitation grants elevated privileges on the device without requiring user interaction or additional execution privileges. Google addressed the issue in the June 2026 Android Security Bulletin.
Critical Impact
Local applications with low privileges can escalate to kernel-level access, compromising device confidentiality, integrity, and availability.
Affected Products
- Google Android (Pixel devices, per the June 2026 Pixel bulletin)
- Devices using the affected PowerVR graphics driver implementation
- Android kernel builds prior to the June 2026 security patch level
Discovery Timeline
- 2026-06-16 - CVE-2026-0152 published to NVD
- 2026-06-17 - Last updated in NVD database
- 2026-06-01 - Google publishes the Android Security Bulletin June 2026
Technical Details for CVE-2026-0152
Vulnerability Analysis
The vulnerability is a memory corruption issue classified as [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). The defect exists in OSMMapPMRGeneric, the function responsible for mapping Physical Memory Resources (PMR) into a process address space on Android devices using PowerVR graphics drivers. A logic error in the mapping routine allows the kernel-side VMA structure to be expanded outside its intended boundaries. Once the VMA exceeds its sanctioned range, an attacker can interact with kernel memory that should remain inaccessible to user space, enabling privilege escalation to a higher trust domain.
Root Cause
The root cause is a flawed boundary check during VMA expansion within pmr_os.c. The code path invoked through a system call accepts parameters that allow the resulting mapping size or offset to grow beyond the underlying PMR allocation. Because the kernel does not adequately validate the post-expansion bounds against the original physical memory resource, mappings can be constructed that overlap unrelated kernel-managed pages.
Attack Vector
Exploitation requires local access with low privileges. An attacker delivers a malicious application or shell payload that invokes the vulnerable system call against the graphics driver. By crafting specific arguments to the mapping routine, the attacker triggers the out-of-bounds VMA expansion and gains read or write primitives over kernel memory. No user interaction is required during exploitation. The vulnerability is exploitable from the local attack surface only and cannot be reached remotely without first obtaining code execution on the device.
No verified public proof-of-concept code is available for CVE-2026-0152. See the Android Security Bulletin June 2026 for vendor-published technical context.
Detection Methods for CVE-2026-0152
Indicators of Compromise
- Unexpected processes spawned with elevated UID or GID after invoking graphics driver ioctls
- Anomalous mmap or device-node activity targeting PowerVR driver files such as /dev/pvr_sync or related PMR interfaces
- Crash logs or kernel oops messages referencing OSMMapPMRGeneric or VMA bounds
Detection Strategies
- Monitor mobile endpoints for unsigned or sideloaded applications that issue unusual sequences of graphics driver system calls
- Correlate kernel log entries citing VMA expansion failures with subsequent privilege transitions on the same process tree
- Compare device Android security patch levels against the June 2026 baseline to identify unpatched assets
Monitoring Recommendations
- Ingest Android device telemetry including logcat and kernel logs into a centralized data lake for correlation
- Alert on application installations from non-Play sources on managed devices, since local code execution is a prerequisite
- Track MDM compliance reports for the Android security patch level field to flag devices below the June 2026 patch
How to Mitigate CVE-2026-0152
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) on all eligible Pixel and Android devices
- Enforce mobile device management (MDM) policies that block enrollment or network access for devices below the required patch level
- Restrict installation of applications from unknown sources to reduce the local code execution prerequisite
Patch Information
Google published the fix in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later contain the corrected OSMMapPMRGeneric implementation. OEM rollout timing varies; consult the device manufacturer for delivery schedules on non-Pixel hardware.
Workarounds
- No vendor-supplied workaround exists; patching is the only complete remediation
- Limit untrusted application installation through Google Play Protect and enterprise app allowlisting until patches are deployed
- Isolate or retire devices that have reached end-of-life and will not receive the June 2026 patch
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

