CVE-2026-0027
Use-After-Free in arm-smmu-v3 Causes Local Privilege Escalation
Publication date: 2026-03-02
Last updated on: 2026-03-06
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0027 is a vulnerability in the ARM SMMU v3 driver of the Android kernel, specifically in the function smmu_detach_dev within the arm-smmu-v3.c file. The issue is a possible out of bounds write caused by a use after free condition. This means that the code attempts to access memory that has already been freed, which can lead to unexpected behavior or security issues.
The vulnerability arises because the driver does not properly verify that the Stream Table Entry (STE) being detached matches the correct domain attributes. Without this check, an attacker could cause incorrect or unauthorized detachments of STEs, potentially leading to system instability or security breaches.
Exploitation of this vulnerability does not require user interaction but does require system execution privileges. The impact can be a local escalation of privilege.
How can this vulnerability impact me? :
This vulnerability can lead to a local escalation of privilege on affected Android devices. Because it involves a use after free and out of bounds write in a kernel driver, an attacker with system execution privileges could exploit it to gain higher privileges or cause system instability.
Since user interaction is not required, the vulnerability could be exploited by malicious software or an attacker who already has some level of access to the system, potentially allowing them to compromise the device further.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, apply the security patch that adds verification of domain attributes when detaching Stream Table Entries (STEs) in the ARM SMMU v3 KVM driver.
This patch ensures that the STE being detached corresponds to the correct domain, preventing unauthorized detachments that could lead to privilege escalation.
Specifically, update your Android kernel to include the commit identified by hash a47e0e78ad5b4e153b40fc1c9def11991aa6ca0c or 3af14d2057f2f3df97472cef6b293113b020d1e6, which implement this fix.