CVE-2026-0029
Received Received - Intake
Logic Error in pkvm_init_vm Causes Local Privilege Escalation

Publication date: 2026-03-02

Last updated on: 2026-03-06

Assigner: Android (associated with Google Inc. or Open Handset Alliance)

Description
In __pkvm_init_vm of pkvm.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0029
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google android *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0029 is a vulnerability in the protected Kernel-based Virtual Machine (pKVM) implementation on ARM64 architectures. It occurs when an undersized or misaligned Page Global Directory (PGD) allocation is provided to the hypervisor. This misalignment causes a failure during the guest stage-2 initialization because the hypervisor expects to allocate physically aligned memory pages from a pre-filled pool, which fails if the PGD is misaligned.

The root cause is a logic error in the code that does not properly check the alignment of the PGD allocation, leading to memory corruption and a crash in the hypervisor. This can result in local escalation of privilege without requiring additional execution privileges or user interaction.

Impact Analysis

This vulnerability can lead to local escalation of privilege on affected ARM64 systems using pKVM. An attacker with local access could exploit the memory corruption caused by the misaligned PGD allocation to gain higher privileges within the system.

Because no additional execution privileges or user interaction are needed, the vulnerability increases the risk of unauthorized privilege escalation, potentially allowing an attacker to compromise the security of the virtualized environment or the host system.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a logic error in the pKVM implementation on ARM64 architectures related to misaligned Page Global Directory (PGD) allocations causing crashes during guest stage-2 initialization.

Detection would require checking the alignment and size of PGD allocations passed to the hypervisor at Exception Level 2 (EL2). Since this is a low-level kernel/hypervisor issue, detection might involve inspecting kernel logs for crashes related to guest_s2_zalloc_pages_exact() failures or hyp_alloc_pages() allocation failures.

No specific commands or network detection methods are provided in the available resources.

Mitigation Strategies

The vulnerability is fixed by patches that add early checks for the host-provided PGD alignment to ensure it meets physical alignment constraints, preventing the hypervisor crash.

Immediate mitigation steps include applying the official patches to the ARM64 KVM hypervisor code, specifically the fixes in arch/arm64/kvm/hyp/nvhe/mem_protect.c and arch/arm64/kvm/hyp/nvhe/pkvm.c.

Since this is a local privilege escalation vulnerability requiring no user interaction, ensuring your system is updated with the latest kernel/hypervisor patches from your vendor or Android security updates is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart