Cyber Posture

CVE-2026-0106

Critical

Published: 05 February 2026

Published
05 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score 9.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0000 0.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0106 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Google Android. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires bounds checking and validation of inputs to vpu_mmap ioctl to prevent arbitrary address mapping due to missing bounds check.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms such as non-executable memory and address space restrictions to mitigate exploitation of arbitrary mmap for privilege escalation.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of the specific flaw in vpu_mmap causing the missing bounds check vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct local privilege escalation via memory corruption (arbitrary mmap) with no auth required, matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2026-0106 is a vulnerability in the vpu_mmap function within vpu_ioctl, stemming from a missing bounds check that enables arbitrary address mmap. This issue affects Android Pixel devices and is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-125 (Out-of-bounds Read), and CWE-787 (Out-of-bounds Write). Published on 2026-02-05, it carries a CVSS v3.1 base score of 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.

A local attacker requires no additional execution privileges or user interaction to exploit this vulnerability. Successful exploitation allows escalation of privilege, potentially granting unauthorized access to sensitive system resources and enabling full control over the affected device due to the high impacts on confidentiality, integrity, and availability within a changed scope.

The Android Pixel security bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-02-01 details available patches and mitigation guidance for addressing this vulnerability.

Details

CWE(s)
CWE-119CWE-125CWE-787

Affected Products

google
android
all versions

CVEs Like This One

CVE-2026-0035Same product: Google Android
CVE-2026-0010Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2026-0123Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2026-0117Same product: Google Android
CVE-2026-0037Same product: Google Android
CVE-2025-32313Same product: Google Android

References