How is CVE-2026-0150 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required. Authentication (required): Any low-privilege account on the device is sufficient; the attacker does not need administrative or root credentials to reach the vulnerable code path. Victim interaction (not-required): No user interaction of any kind is needed; the attacker can trigger the overflow entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race-condition timing, memory-layout guessing, or other environmental preconditions.

What is the impact of CVE-2026-0150?

A successful attacker escalates from a low-privilege process to root, gaining unrestricted control over the device. With root access, the attacker reads any file or memory region on the system, including credentials, keys, and sensitive application data. The attacker writes to or modifies any file, kernel structure, or persisted data on the device, including security-critical system files. The attacker can crash, restart, or permanently disable system services and the device itself.

Back to search

HIGHCVE-2026-0150Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0150: In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow

In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow leading to an out-of-bounds write exists in the ExecuteGraph command handler of the EdgeTPU firmware component within the Android kernel. The flaw is reachable locally by an attacker who already has a low-privilege shell or process on the device, and no user interaction is required. Successful exploitation allows the attacker to escalate privileges to root, gaining full read, write, and execution control over the affected system. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as Google releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-0150 is available across every HarborGuard environment, with the CVE ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Android or embedded images that bundle the affected Android kernel components. Any image in a connected registry or CI pipeline that carries a vulnerable kernel version is eligible for flagging.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 severity of 7.8 (HIGH) and weighting that score against each customer organization's compliance policy to determine urgency and escalation path. Triage results are routable to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a remediated Android kernel release. In the meantime, customers with compensating-control policies can use HarborGuard's network-isolation and workload-segmentation recommendations to limit exposure of containers running the affected kernel.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required.
AuthenticationRequired
Any low-privilege account on the device is sufficient; the attacker does not need administrative or root credentials to reach the vulnerable code path.
Victim interactionNot required
No user interaction of any kind is needed; the attacker can trigger the overflow entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race-condition timing, memory-layout guessing, or other environmental preconditions.

Blast Radius

A successful attacker escalates from a low-privilege process to root, gaining unrestricted control over the device.
With root access, the attacker reads any file or memory region on the system, including credentials, keys, and sensitive application data.
The attacker writes to or modifies any file, kernel structure, or persisted data on the device, including security-critical system files.
The attacker can crash, restart, or permanently disable system services and the device itself.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-0150 is active across all connected environments, flagging images that include the affected Android kernel component as soon as they are scanned or pushed. Because Google has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard monitors the upstream advisory on every ingest cycle and will trigger a rebuild automatically once a remediated kernel version is released; customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. While the vulnerability is unpatched, customers can reduce exposure by applying network-policy isolation to any containers or workloads running on hosts with the affected kernel, restricting which identities can acquire even low-privilege shells on those hosts, and using HarborGuard policy rules to gate deployment of images containing the affected kernel version until an upstream fix is available.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified