CVE-2026-0151

Vulnerability

In the IntfGraphCreate function in intfgraph.c, an integer overflow occurs during memory allocation or size calculation, leading to an out-of-bounds write. This vulnerability affects Pixel devices running Android versions prior to the June 2026 security patch level (2026-06-05). The exact affected versions are not specified in the available references, but the fix is included in the June 2026 Pixel Update Bulletin [1].

Exploitation

An attacker can exploit this vulnerability remotely without any user interaction or additional execution privileges. The integer overflow allows the attacker to craft a malicious input that triggers the out-of-bounds write, potentially corrupting memory. No authentication or special network position is required beyond the ability to send data to the vulnerable component.

Impact

Successful exploitation leads to remote code execution (RCE) in the context of the affected component. The attacker gains the ability to execute arbitrary code, potentially compromising the entire device. The severity is critical as per the CVSS score (not provided but implied by description).

Mitigation

The vulnerability is fixed in the June 2026 Pixel Update Bulletin, with a security patch level of 2026-06-05 or later [1]. Users should ensure their Pixel devices are updated to this patch level. No workarounds are available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.