CVE-2026-0153: In Write of msg_to_host_buffer
In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds write vulnerability exists in the Android kernel, specifically in the Write function of msg_to_host_buffer.cc, where an incorrect bounds check allows memory to be written past the end of an intended buffer. The flaw is reachable locally by any low-privilege process already running on the device, with no user interaction required. Successful exploitation gives an attacker full escalation of privilege on the affected host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-0153 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Android kernel images.
AvailableTriage is available with the full CVSS v3.1 score of 7.8 (HIGH) applied to each matched image, weighted against the compliance policy configured for each customer environment, and routed to the appropriate team inbox within that organization.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix version.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the vulnerable code is required.
- AuthenticationRequired
Any low-privilege account or process context on the device is sufficient; no elevated or admin credentials are needed.
- Victim interactionNot required
The exploit executes entirely within the attacker-controlled process; no action by another user is needed.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layouts, or environmental dependencies are noted in the CVSS scoring.
Blast Radius
- Attacker gains full kernel-level privileges on the compromised device, overriding all process isolation boundaries.
- Confidential data stored on the device, including credentials, session tokens, and application data, becomes readable by the attacker.
- The attacker can write or modify any data on the device, including system files, application state, and persisted records.
- The attacker can crash or destabilize the kernel, taking the device or containerized workload offline.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet for CVE-2026-0153, the platform monitors the Google advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. For environments with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. In the interim, customers can reduce exposure by applying network-policy isolation to limit lateral movement from any compromised container, restricting which images are permitted to run with elevated kernel capabilities via admission policies, and reviewing workloads that bundle or extend the Android kernel for unnecessary privilege grants. Customers who opt into advisory-watch notifications will receive an alert the moment the upstream patch lands.
- Google / AndroidAndroid kernel
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H