PatchSiren cyber security CVE debrief
CVE-2026-0133 Google CVE debrief
A vulnerability was discovered in the arm-smmu-v3.c file, specifically in the smmu_attach_dev function. This vulnerability is due to a missing permission check, which could allow an attacker to sign malicious Android Runtime bootclass artifacts. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not required for exploitation.
- Vendor
- Product
- Android
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Android users and developers, security teams
Technical summary
The vulnerability is located in the smmu_attach_dev function of arm-smmu-v3.c. A missing permission check allows for the signing of malicious Android Runtime bootclass artifacts, potentially leading to local escalation of privilege.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates from the vendor as soon as they become available.
- Use secure boot mechanisms to validate the authenticity of bootclass artifacts.
- Implement additional security controls to monitor and restrict access to sensitive components.
Evidence notes
The CVE record was obtained from the official CVE website. The vulnerability details were retrieved from the NVD database.
Official resources
-
CVE-2026-0133 CVE record
CVE.org
-
CVE-2026-0133 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-0133 was published on 2026-06-16T20:16:24.170Z and modified on 2026-06-16T20:42:25.013Z.