← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0106 · CWE-119 · Disclosed 2026-02-05

In vpu_mmap of vpu_ioctl

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a valet key that can open the whole garage, but only after the attacker is already sitting in the car

CVE-2026-0106 is a missing bounds check in the Pixel VPU driver path vpu_mmap reached from vpu_ioctl. In plain English: untrusted code already running on the device can ask the driver to map far more physical memory than it should, turning a device-memory mapping into broad kernel memory access. Public CNA data says "Android kernel," but Google's own February 2026 Pixel bulletin scopes it to the VPU Driver; the safest affected-range statement is supported Pixel devices carrying the vulnerable VPU driver before security patch level 2026-02-05.

The vendor-style 9.3 / CRITICAL score overstates real enterprise urgency because the decisive friction is attacker position: this is AV:L and needs code execution on the handset first. That matters. For a defender running a large fleet, this is best treated as a high-value post-compromise privilege escalation: serious because it can turn a sandboxed app foothold into full kernel compromise, but not critical because it is neither remotely reachable nor broadly internet-exposed.

"Powerful kernel LPE, but still a post-compromise Pixel driver bug, not an internet-scale emergency."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code execution on the device

The attacker first needs a process running on the target Pixel handset, typically a malicious app, sideloaded native helper, or another exploit stage. This CVE does not provide initial access by itself; it is the privilege-escalation half of a chain.
Conditions required:
  • Attacker can execute code locally on the Android device
  • Target is a supported Pixel device with the vulnerable VPU driver
  • Device is missing the 2026-02-05 security patch level
Where this breaks in practice:
  • Managed Android fleets often restrict sideloading and unapproved apps via MDM
  • Play Protect, enterprise app allow-listing, and mobile threat defense can block or flag the initial foothold
  • This prerequisite means the vulnerability is already post-initial-access
Detection/coverage: Traditional external scanners will miss this entirely. You need MDM inventory, mobile threat defense telemetry, and patch-level reporting.
STEP 02

Abuse vpu_mmap with a custom userland helper

Using a small native helper or the technique described in the public Project Zero issue, the attacker opens the VPU path and requests an oversized mapping. Because the bounds check is missing, remap_pfn_range can expose adjacent physical memory instead of only the intended device region.
Conditions required:
  • Local code can reach the vulnerable VPU device interface
  • Kernel build contains the vulnerable VPU driver behavior
Where this breaks in practice:
  • Exploitability depends on this specific driver being present; this is not a generic Android userspace bug
  • Device-family scoping narrows exposure materially versus 'all Android'
Detection/coverage: EDR-style syscall telemetry on mobile is limited. Kernel audit coverage for suspicious mmap against device nodes is uncommon outside specialized mobile security tooling.
STEP 03

Turn device memory mapping into kernel read/write

Project Zero states the missing size validation allows mapping arbitrarily large adjacent physical ranges and, on the tested Pixel build, even readable/writable kernel regions. That converts the bug from 'weird driver misuse' into a straightforward kernel arbitrary read/write primitive.
Conditions required:
  • Oversized mapping succeeds
  • Relevant physical layout remains predictable enough on the target build
Where this breaks in practice:
  • Real exploit reliability can vary by device model and build details
  • Exploit chains may need maintenance across handset generations and monthly patches
Detection/coverage: There is no dependable network signature. Practical detection is mostly indirect: crash telemetry, anomalous kernel panics, or signs of a compromised app escaping its sandbox.
STEP 04

Overwrite kernel objects and escape the app sandbox

The public Project Zero report describes overwriting the signalfd file-operations table and then triggering a syscall to pivot execution. In a real intrusion, the same primitive can be used to tamper with credential structures, disable security controls, or implant persistent kernel-level hooks.
Conditions required:
  • Attacker has kernel read/write from the previous step
  • A suitable overwrite target is available on the tested build
Where this breaks in practice:
  • Per-device blast radius is one handset at a time, not a whole internet-facing service
  • Mobile OS updates and hardware variation can break exploit portability
Detection/coverage: Look for kernel crashes, unexpected reboots, integrity failures, or MTD alerts indicating privilege escalation from an untrusted app context.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation found in the retrieved authoritative sources. CISA ADP SSVC on the OpenCVE record shows Exploitation: none.
KEV statusNot listed in the CISA KEV Catalog as checked today.
Proof-of-concept availabilityTechnical exploit details are public via Project Zero issue 463438263, which states an attached PoC mapped kernel memory and overwrote signalfd structures. I did not find a public GitHub PoC repository in the retrieved sources.
EPSSCVE Details shows 0.00% EPSS; the retrieved page did not expose a usable percentile value.
CVSS vector meaningCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H means easy once on-device, no prior privileges, no user click, and full kernel-level impact. The problem is the local attacker-position prerequisite.
Affected rangeAuthoritative public scoping is messy: CNA/NVD say Google Android / Android kernel, but Google's own Pixel February 2026 bulletin names the VPU Driver. Practical defender view: supported Pixel devices missing patch level 2026-02-05.
Fixed versionGoogle states security patch level 2026-02-05 or later addresses the issue on supported Pixel devices.
Internet exposure / scanning realityNo meaningful Shodan/Censys/FOFA exposure metric exists here. This is an Android kernel driver bug with AV:L, not a remotely reachable network service; any public-internet host count would be a category error.
Disclosure timelineCVE published 2026-02-05. Google's Pixel bulletin was published 2026-02-03 and says patch level 2026-02-05 or later fixes it.
Reporting researcher / orgProject Zero issue 463438263 lists Jann Horn and Seth Jenkins as finders and marks the issue fixed on 2026-02-05.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (7.4/10)

The single biggest downgrade factor is attacker position: exploitation requires code execution on the handset first, which makes this a post-compromise escalation rather than an initial-access bug. It still lands in HIGH because the public technical details indicate a very strong kernel read/write primitive on affected Pixel builds, so once an attacker is on-device the blast radius for that handset is total.

HIGH Technical impact after successful exploitation is severe
MEDIUM Population scoping is narrower than generic 'all Android' and appears centered on Pixel VPU-driver exposure
MEDIUM No reliable public evidence of broad in-the-wild exploitation as of the sources checked

Why this verdict

  • Downgrade for attacker position: AV:L means the attacker must already have code execution on the handset; that is a major real-world friction point and makes this post-initial-access.
  • Downgrade for exposure population: Google's own bulletin scopes the issue to the Pixel VPU Driver, which is a much smaller exposed population than the raw Google Android label implies.
  • Hold at HIGH because impact is real: Project Zero describes a path to mapping kernel memory as userland-readable/writable, which is far beyond a mere denial-of-service and enables full device compromise.

Why not higher?

It is not CRITICAL because this bug does not cross the network boundary by itself. Enterprises do not face internet-wide opportunistic scanning for an Android local driver bug; an attacker must first get code onto the device, and that prerequisite cuts reachable population sharply.

Why not lower?

It should not fall to MEDIUM because the exploit path is unusually potent once the prerequisite is met. This is not a finicky logic flaw with low payoff; the public Project Zero write-up indicates a direct path to kernel memory access and full sandbox escape on affected builds.

05 · Compensating Control

What to do — in priority order.

  1. Block untrusted app installation — Use Android Enterprise / MDM policy to disable sideloading, restrict unknown sources, and enforce app allow-listing where business-feasible. This directly attacks the most important prerequisite: local code execution. For a HIGH verdict, deploy or verify this control within 30 days.
  2. Enforce Play Protect and mobile threat defense — Require Google Play Protect to stay enabled and integrate MTD telemetry for detections around malicious apps, privilege escalation behavior, and jailbreak-like anomalies. This is the best practical choke point before the kernel bug is reachable. For a HIGH verdict, verify fleet-wide policy compliance within 30 days.
  3. Quarantine stale Pixel patch levels — Use MDM compliance rules to flag or reduce access for Pixel devices reporting security patch levels older than 2026-02-05. This shrinks the live vulnerable population while you work remediation. For a HIGH verdict, put the compliance rule in place within 30 days.
  4. Constrain sensitive access from mobile devices — Require conditional access for email, VPN, SSO, and admin portals so a compromised handset cannot automatically pivot into higher-value enterprise systems. Tie access to device compliance, patch level, and attestation status. For a HIGH verdict, complete the access-policy review within 30 days.
What doesn't work
  • A perimeter WAF does not help because there is no exposed web transaction to filter.
  • External vulnerability scanners will not find this reliably because it is a local kernel driver condition, not a remotely queryable service.
  • MFA alone does not stop exploitation on the handset; it may limit downstream abuse, but it does not prevent the local privilege escalation itself.
06 · Verification

Crowdsourced verification payload.

Run this on the target Android/Pixel device through adb shell, or push it with your EMM agent if you have shell execution. Example: adb push check_cve_2026_0106.sh /data/local/tmp/ && adb shell sh /data/local/tmp/check_cve_2026_0106.sh. No root is required; it reads standard build properties and reports VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/system/bin/sh
# check_cve_2026_0106.sh
# Determine likely exposure to CVE-2026-0106 on Google Pixel devices.
# Logic:
#   - If not a Google/Pixel-like device: UNKNOWN
#   - If Google/Pixel and security patch < 2026-02-05: VULNERABLE
#   - If Google/Pixel and security patch >= 2026-02-05: PATCHED
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

TARGET_PATCH="2026-02-05"

get_prop() {
  /system/bin/getprop "$1" 2>/dev/null
}

MANUFACTURER="$(get_prop ro.product.manufacturer)"
BRAND="$(get_prop ro.product.brand)"
MODEL="$(get_prop ro.product.model)"
DEVICE="$(get_prop ro.product.device)"
PATCH="$(get_prop ro.build.version.security_patch)"
FINGERPRINT="$(get_prop ro.build.fingerprint)"

norm_date() {
  echo "$1" | tr -cd '0-9-'
}

PATCH_N="$(norm_date "$PATCH")"
TARGET_N="$(norm_date "$TARGET_PATCH")"

IS_GOOGLE=0
case "$(echo "$MANUFACTURER $BRAND $MODEL $DEVICE $FINGERPRINT" | tr '[:upper:]' '[:lower:]')" in
  *google*|*pixel*) IS_GOOGLE=1 ;;
esac

if [ "$IS_GOOGLE" -ne 1 ]; then
  echo "UNKNOWN - non-Google/Pixel device or unable to confirm Pixel-family VPU exposure"
  exit 2
fi

if [ -z "$PATCH_N" ]; then
  echo "UNKNOWN - could not read ro.build.version.security_patch"
  exit 2
fi

# Simple lexical compare works for YYYY-MM-DD format.
if [ "$PATCH_N" \< "$TARGET_N" ]; then
  echo "VULNERABLE - Google/Pixel device with security patch level $PATCH_N (< $TARGET_N)"
  exit 1
fi

if [ "$PATCH_N" \> "$TARGET_N" ] || [ "$PATCH_N" = "$TARGET_N" ]; then
  echo "PATCHED - Google/Pixel device with security patch level $PATCH_N (>= $TARGET_N)"
  exit 0
fi

echo "UNKNOWN - unable to determine status"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a targeted mobile-fleet hardening problem, not a global critical-servers event. Inventory Pixel devices, identify anything below security patch level 2026-02-05, and use MDM to block untrusted app install paths plus enforce compliance on stale devices within 30 days per the noisgate mitigation SLA; then complete the actual vendor patch rollout to affected Pixel endpoints within 180 days per the noisgate remediation SLA.

Sources

  1. NVD CVE-2026-0106
  2. Google Pixel Update Bulletin — February 2026
  3. Android Security Bulletin — February 2026
  4. Project Zero issue 463438263
  5. OpenCVE record for CVE-2026-0106
  6. CISA Known Exploited Vulnerabilities Catalog
  7. CVE Details record for CVE-2026-0106
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.