Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-0106 -- CVSS 9.3 Vulnerability Briefing

CVE-2026-0106 | CVSS 9.3 (Critical) | Exploit: PoC available

What Is It

CVE-2026-0106 is a missing bounds check vulnerability in the vpu_mmap function of the vpu_ioctl component in Google Android, allowing an unprivileged local attacker to map arbitrary memory addresses.

Technical Detail

The flaw exists because vpu_mmap in the VPU (Video Processing Unit) ioctl handler fails to validate user-supplied address or offset parameters before performing an mmap operation, enabling an attacker to map arbitrary physical or kernel addresses into user space. A local process with no elevated privileges can invoke the vulnerable ioctl to trigger the out-of-bounds mmap, potentially gaining read/write access to privileged memory regions. Successful exploitation results in local privilege escalation, allowing the attacker to execute code in a higher-privileged context or fully compromise the device kernel.

Exploitation Status

A proof-of-concept exploit is publicly available for this vulnerability. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, and there is no confirmed evidence of active exploitation in the wild as of May 16, 2026. However, the availability of a PoC lowers the barrier for exploitation and increases the likelihood of weaponization in the near term.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in connection with this vulnerability.

What To Do

Apply the relevant Android security patch from Google as soon as it becomes available through the Android Security Bulletin. Given the critical CVSS score of 9.3 and the public availability of a PoC, this should be treated as a high-priority patch for any Android fleet, particularly managed enterprise devices and those handling sensitive data. Organizations should monitor Android Security Bulletin advisories for the patch addressing this specific CVE and prioritize deployment through MDM or device management pipelines. Until a patch is applied, restricting untrusted application installation and enforcing SELinux enforcing mode may reduce the attack surface, though neither constitutes a complete mitigation. Detection teams should monitor for anomalous ioctl calls targeting VPU device nodes from unprivileged processes.