CVE-2026-0125: In multiple functions of vpu_ioctl
In multiple functions of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free vulnerability in the Android kernel's VPU (video processing unit) driver, specifically in multiple functions of vpu_ioctl.c, is reachable by a local attacker with a low-privilege account. Exploitation requires winning a race condition between concurrent kernel operations. Successful exploitation gives the attacker full local privilege escalation, allowing them to read, modify, or destroy data and processes at the kernel level. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-0125 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Android kernel images. Any image carrying an affected kernel version is flagged automatically, without requiring manual scans.
AvailableHarborGuard scores this CVE at 7.0 HIGH (CVSS v3.1) and weights that score against each customer environment's configured compliance policy to determine urgency and routing. Findings are delivered to the inbox or ticketing integration configured for the affected workload owner inside each customer org.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow without manual intervention once an upstream fix exists.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no elevated or administrative privileges are needed before exploitation.
- Victim interactionNot required
No user interaction is required; the attacker can trigger the race condition entirely from their own process.
- Attack complexityDetail
Exploitation is timing-dependent and requires the attacker to win a race condition between concurrent kernel operations, making reliable reproduction harder without specific environmental conditions.
Blast Radius
- A successful attacker gains kernel-level code execution, breaking out of any user-space privilege boundary.
- Confidential data accessible to the kernel, including credentials, cryptographic keys, and memory belonging to other processes, becomes readable.
- The attacker can modify kernel data structures, persisted files, or other processes' memory.
- The attacker can crash the kernel or render the device unavailable.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists yet, HarborGuard continuously monitors the Google advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. In the interim, compensating controls worth evaluating include restricting ioctl access to the VPU device node via SELinux or seccomp policy, isolating workloads that do not require VPU access through network and process-level policies, and auditing which container images include or expose the affected kernel interface. For customers with auto-remediation enabled, the rebuild plus regression run plus PR against affected workloads will execute without manual steps as soon as the upstream fix is available.
- Google / AndroidAndroid kernel
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H