CVE-2026-0027
Received Received - Intake
Use-After-Free in arm-smmu-v3 Causes Local Privilege Escalation

Publication date: 2026-03-02

Last updated on: 2026-03-06

Assigner: Android (associated with Google Inc. or Open Handset Alliance)

Description
In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0027
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google android *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0027 is a vulnerability in the ARM SMMU v3 driver of the Android kernel, specifically in the function smmu_detach_dev within the arm-smmu-v3.c file. The issue is a possible out of bounds write caused by a use after free condition. This means that the code attempts to access memory that has already been freed, which can lead to unexpected behavior or security issues.

The vulnerability arises because the driver does not properly verify that the Stream Table Entry (STE) being detached matches the correct domain attributes. Without this check, an attacker could cause incorrect or unauthorized detachments of STEs, potentially leading to system instability or security breaches.

Exploitation of this vulnerability does not require user interaction but does require system execution privileges. The impact can be a local escalation of privilege.

Impact Analysis

This vulnerability can lead to a local escalation of privilege on affected Android devices. Because it involves a use after free and out of bounds write in a kernel driver, an attacker with system execution privileges could exploit it to gain higher privileges or cause system instability.

Since user interaction is not required, the vulnerability could be exploited by malicious software or an attacker who already has some level of access to the system, potentially allowing them to compromise the device further.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, apply the security patch that adds verification of domain attributes when detaching Stream Table Entries (STEs) in the ARM SMMU v3 KVM driver.

This patch ensures that the STE being detached corresponds to the correct domain, preventing unauthorized detachments that could lead to privilege escalation.

Specifically, update your Android kernel to include the commit identified by hash a47e0e78ad5b4e153b40fc1c9def11991aa6ca0c or 3af14d2057f2f3df97472cef6b293113b020d1e6, which implement this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart