CVE-2026-0134

Vulnerability

A logic error in the PostWipeData function within recovery_ui.cpp causes a data persistence issue after a factory reset. This affects Pixel devices with a security patch level before 2026-06-05, as per the June 2026 Pixel Update Bulletin [1]. The flaw allows certain data to remain on the device even after a factory reset should have erased it.

Exploitation

An attacker with physical or local access to the device can exploit this vulnerability without any user interaction. The attacker simply performs or triggers a factory reset, and due to the logic error, some data is not wiped as expected. No additional execution privileges are required [1].

Impact

Successful exploitation leads to local information disclosure. The attacker could recover sensitive data that was meant to be permanently erased during the factory reset, potentially exposing personal or confidential information [1].

Mitigation

Google addressed this vulnerability in the June 2026 Pixel Update Bulletin with a security patch level of 2026-06-05 [1]. Users should ensure their Pixel devices are updated to a patch level of 2026-06-05 or later to mitigate this issue. No workaround is available.