Use-After-Free Vulnerability in VPU Affects Android Devices
CVE-2026-0121

2.9LOW

Key Information:

Vendor

Google
Status
Android
Vendor
CVE Published:
10 March 2026

What is CVE-2026-0121?

CVE-2026-0121 is a security vulnerability identified in the VPU component affecting Android devices. This vulnerability stems from a use-after-free error, which occurs due to a race condition in the VPU. Such an error allows the system to access memory that has already been deallocated, potentially leading to unintended behaviors. While this vulnerability requires no additional execution privileges and does not necessitate user interaction for exploitation, it creates opportunities for unauthorized access to sensitive information. This could significantly undermine the integrity and confidentiality of data processed on affected devices, posing a risk to both user privacy and corporate data security.

Potential impact of CVE-2026-0121

  1. Local Information Disclosure: The primary risk associated with CVE-2026-0121 is the potential for local information disclosure. Attackers may exploit this vulnerability to gain access to sensitive data stored on the device, compromising user privacy and potentially exposing sensitive corporate information.

  2. Data Security Risks: Organizations relying on Android devices for business operations may face severe data security challenges. The exploitation of this vulnerability could lead to breaches where attackers obtain confidential information, risking legal repercussions and loss of customer trust.

  3. Compromised Device Integrity: Although no additional execution privileges are required for exploitation, the presence of this vulnerability could undermine the overall integrity of the device. This involves the possibility of manipulation of device functions, which could facilitate the introduction of further vulnerabilities or malware, impacting both device performance and organizational operations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Android Android kernel

References

https://source.android.com/docs/security/bulletin/2026/20...
vendor-advisory

CVSS V3.1

Score:
2.9
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.