Skip to main content
CVE Vulnerability Database

CVE-2026-0152: Google Android Privilege Escalation Flaw

CVE-2026-0152 is a privilege escalation vulnerability in Google Android's OSMMapPMRGeneric function that allows attackers to expand VMA out of bounds. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-0152 Overview

CVE-2026-0152 is a local privilege escalation vulnerability in the Android kernel. The flaw resides in the OSMMapPMRGeneric function within pmr_os.c, a component of the PowerVR graphics driver memory management subsystem. A logic error allows a local attacker to leverage a system call to expand a Virtual Memory Area (VMA) beyond its intended bounds. Successful exploitation grants elevated privileges on the device without requiring user interaction or additional execution privileges. Google addressed the issue in the June 2026 Android Security Bulletin.

Critical Impact

Local applications with low privileges can escalate to kernel-level access, compromising device confidentiality, integrity, and availability.

Affected Products

  • Google Android (Pixel devices, per the June 2026 Pixel bulletin)
  • Devices using the affected PowerVR graphics driver implementation
  • Android kernel builds prior to the June 2026 security patch level

Discovery Timeline

Technical Details for CVE-2026-0152

Vulnerability Analysis

The vulnerability is a memory corruption issue classified as [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). The defect exists in OSMMapPMRGeneric, the function responsible for mapping Physical Memory Resources (PMR) into a process address space on Android devices using PowerVR graphics drivers. A logic error in the mapping routine allows the kernel-side VMA structure to be expanded outside its intended boundaries. Once the VMA exceeds its sanctioned range, an attacker can interact with kernel memory that should remain inaccessible to user space, enabling privilege escalation to a higher trust domain.

Root Cause

The root cause is a flawed boundary check during VMA expansion within pmr_os.c. The code path invoked through a system call accepts parameters that allow the resulting mapping size or offset to grow beyond the underlying PMR allocation. Because the kernel does not adequately validate the post-expansion bounds against the original physical memory resource, mappings can be constructed that overlap unrelated kernel-managed pages.

Attack Vector

Exploitation requires local access with low privileges. An attacker delivers a malicious application or shell payload that invokes the vulnerable system call against the graphics driver. By crafting specific arguments to the mapping routine, the attacker triggers the out-of-bounds VMA expansion and gains read or write primitives over kernel memory. No user interaction is required during exploitation. The vulnerability is exploitable from the local attack surface only and cannot be reached remotely without first obtaining code execution on the device.

No verified public proof-of-concept code is available for CVE-2026-0152. See the Android Security Bulletin June 2026 for vendor-published technical context.

Detection Methods for CVE-2026-0152

Indicators of Compromise

  • Unexpected processes spawned with elevated UID or GID after invoking graphics driver ioctls
  • Anomalous mmap or device-node activity targeting PowerVR driver files such as /dev/pvr_sync or related PMR interfaces
  • Crash logs or kernel oops messages referencing OSMMapPMRGeneric or VMA bounds

Detection Strategies

  • Monitor mobile endpoints for unsigned or sideloaded applications that issue unusual sequences of graphics driver system calls
  • Correlate kernel log entries citing VMA expansion failures with subsequent privilege transitions on the same process tree
  • Compare device Android security patch levels against the June 2026 baseline to identify unpatched assets

Monitoring Recommendations

  • Ingest Android device telemetry including logcat and kernel logs into a centralized data lake for correlation
  • Alert on application installations from non-Play sources on managed devices, since local code execution is a prerequisite
  • Track MDM compliance reports for the Android security patch level field to flag devices below the June 2026 patch

How to Mitigate CVE-2026-0152

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) on all eligible Pixel and Android devices
  • Enforce mobile device management (MDM) policies that block enrollment or network access for devices below the required patch level
  • Restrict installation of applications from unknown sources to reduce the local code execution prerequisite

Patch Information

Google published the fix in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later contain the corrected OSMMapPMRGeneric implementation. OEM rollout timing varies; consult the device manufacturer for delivery schedules on non-Pixel hardware.

Workarounds

  • No vendor-supplied workaround exists; patching is the only complete remediation
  • Limit untrusted application installation through Google Play Protect and enterprise app allowlisting until patches are deployed
  • Isolate or retire devices that have reached end-of-life and will not receive the June 2026 patch
bash
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.