How is CVE-2026-0138 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access path is required to reach the vulnerable code. Authentication (required): A low-privilege local account is sufficient; however, the CVE description specifies that System execution privileges are needed, meaning the attacker must already hold elevated system-level access on the device. Victim interaction (not-required): No user interaction of any kind is required; the attacker can trigger the vulnerable code path entirely on their own. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout prerequisites beyond the privilege requirement.

What is the impact of CVE-2026-0138?

Reads any memory region accessible to the kernel, including stored credentials, session tokens, and encryption keys held in kernel space. Modifies kernel memory structures, allowing the attacker to alter security policies, bypass access controls, or overwrite arbitrary process memory. Executes attacker-supplied code at kernel privilege level, giving full control over the operating system and all processes running on the device. Crashes or destabilizes the kernel, causing the affected device to reboot or become unresponsive.

Back to search

HIGHCVE-2026-0138Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0138: In lwis_io_buffer_write of lwis_io_buffer

In lwis_io_buffer_write of lwis_io_buffer.c, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the Android kernel's lwis_io_buffer_write function (lwis_io_buffer.c), reachable by a local attacker who already holds system-level execution privileges. Because the bug involves memory corruption, a successful exploit gives the attacker full control over kernel memory. This can lead to local privilege escalation, arbitrary code execution in the kernel, and complete compromise of the affected device. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Google publishes a fix version.

HarborGuard Coverage

Detection

Detection for CVE-2026-0138 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android kernel images in connected registries and CI pipelines. No manual scan trigger is required.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 7.8 (HIGH) and weighting that score against each customer environment's compliance policy to prioritize routing. Triage tickets can be directed to the appropriate team inbox within each customer organization based on policy-defined rules.

Available

Patch

Because no fix version has been published for CVE-2026-0138, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google ships a correction. Until then, the vulnerability remains flagged as unresolved in each matched environment's findings list.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access path is required to reach the vulnerable code.
AuthenticationRequired
A low-privilege local account is sufficient; however, the CVE description specifies that System execution privileges are needed, meaning the attacker must already hold elevated system-level access on the device.
Victim interactionNot required
No user interaction of any kind is required; the attacker can trigger the vulnerable code path entirely on their own.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout prerequisites beyond the privilege requirement.

Blast Radius

Reads any memory region accessible to the kernel, including stored credentials, session tokens, and encryption keys held in kernel space.
Modifies kernel memory structures, allowing the attacker to alter security policies, bypass access controls, or overwrite arbitrary process memory.
Executes attacker-supplied code at kernel privilege level, giving full control over the operating system and all processes running on the device.
Crashes or destabilizes the kernel, causing the affected device to reboot or become unresponsive.

How HarborGuard Handles This

Available on HarborGuard: because Google has not yet published a fix version for CVE-2026-0138, the platform continuously monitors the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically once a fix is released. In the interim, HarborGuard flags all matched images as unresolved-HIGH in each environment's findings queue. Compensating controls worth evaluating include restricting container workloads that expose the affected Android kernel surface to the minimum required system privilege level, applying network-policy isolation to limit lateral movement if a device is compromised, and using feature-flag gating to disable non-essential kernel driver interfaces where the host environment permits. For customers with auto-remediation enabled, the rebuild-and-PR flow will engage without additional manual steps the moment an upstream fix is ingested.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified