CVE-2026-0143: In lwis_device_external_event_emit of lwis_event
In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the lwis_device_external_event_emit function of the Android kernel's lwis_event.c. The flaw is reachable locally by an attacker who already holds a low-privilege account on the device, without requiring any user interaction. Successful exploitation causes memory corruption that grants the attacker elevated system execution privileges. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Android kernel images. Any image carrying an affected kernel version is flagged automatically.
AvailableHarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and weights the finding against each customer environment's compliance policy. Triage alerts are routed to the appropriate team inbox within each customer organization based on asset ownership and policy configuration.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a corrected kernel release. Customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads without additional manual steps.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationRequired
Any low-privilege account on the device is sufficient to trigger the vulnerable code path.
- Victim interactionNot required
No action from another user or victim is needed; the attacker operates entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors must be arranged.
Blast Radius
- A successful attacker gains system-level execution privileges, escaping the restrictions of their original low-privilege account.
- Memory corruption from the use-after-free allows the attacker to read arbitrary kernel memory, exposing credentials, keys, and sensitive runtime data.
- The attacker can write to kernel memory, modifying security controls, process credentials, or persisted state on the device.
- Kernel memory corruption can crash the affected device or render it unbootable, causing a full service disruption.
How HarborGuard Handles This
Available on HarborGuard: this CVE is monitored continuously against every customer image that includes an affected Android kernel build. Because no upstream fix exists yet, HarborGuard re-checks the Google advisory on each ingest cycle. The moment a patched kernel release is published, a rebuilt image becomes available. For customers with auto-remediation enabled, that rebuild triggers an automated regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include enforcing strict Linux Security Module (LSM) profiles to limit which processes can reach the lwis driver interface, applying network-policy isolation to containers that include the affected kernel module, and using feature-flag gating to disable the lwis external-event path in non-production environments where it is not strictly required.
- Google / AndroidAndroid kernel
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H