CVE-2026-0029
Logic Error in pkvm_init_vm Causes Local Privilege Escalation
Publication date: 2026-03-02
Last updated on: 2026-03-06
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0029 is a vulnerability in the protected Kernel-based Virtual Machine (pKVM) implementation on ARM64 architectures. It occurs when an undersized or misaligned Page Global Directory (PGD) allocation is provided to the hypervisor. This misalignment causes a failure during the guest stage-2 initialization because the hypervisor expects to allocate physically aligned memory pages from a pre-filled pool, which fails if the PGD is misaligned.
The root cause is a logic error in the code that does not properly check the alignment of the PGD allocation, leading to memory corruption and a crash in the hypervisor. This can result in local escalation of privilege without requiring additional execution privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can lead to local escalation of privilege on affected ARM64 systems using pKVM. An attacker with local access could exploit the memory corruption caused by the misaligned PGD allocation to gain higher privileges within the system.
Because no additional execution privileges or user interaction are needed, the vulnerability increases the risk of unauthorized privilege escalation, potentially allowing an attacker to compromise the security of the virtualized environment or the host system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a logic error in the pKVM implementation on ARM64 architectures related to misaligned Page Global Directory (PGD) allocations causing crashes during guest stage-2 initialization.
Detection would require checking the alignment and size of PGD allocations passed to the hypervisor at Exception Level 2 (EL2). Since this is a low-level kernel/hypervisor issue, detection might involve inspecting kernel logs for crashes related to guest_s2_zalloc_pages_exact() failures or hyp_alloc_pages() allocation failures.
No specific commands or network detection methods are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by patches that add early checks for the host-provided PGD alignment to ensure it meets physical alignment constraints, preventing the hypervisor crash.
Immediate mitigation steps include applying the official patches to the ARM64 KVM hypervisor code, specifically the fixes in arch/arm64/kvm/hyp/nvhe/mem_protect.c and arch/arm64/kvm/hyp/nvhe/pkvm.c.
Since this is a local privilege escalation vulnerability requiring no user interaction, ensuring your system is updated with the latest kernel/hypervisor patches from your vendor or Android security updates is critical.