CVE-2026-0106

Name of the Vulnerable Software and Affected Versions Android VPU driver versions prior to the February 2026 security patch

Description The issue resides within the vpu ioctl function, specifically in the vpu mmap component. A missing bounds check allows for a potential arbitrary address mapping. Successful exploitation could lead to local privilege escalation without requiring additional execution privileges or user interaction. Reports indicate that devices running Android are at risk, with a potential impact on a significant number of devices. The vulnerability allows for arbitrary read/write access to the kernel from a low-privileged userland context through a media parsing process. The vpu ioctl function and its vpu mmap component are central to the issue.

Recommendations Install the February 2026 security patch for Android.