CVE-2026-0038
Logic Error in mem_protect.c Enables Local Privilege Escalation
Publication date: 2026-03-02
Last updated on: 2026-03-06
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-0038 is a security vulnerability in the Android kernel's KVM (Kernel-based Virtual Machine) implementation for the ARM64 architecture. It arises from a logic error in multiple functions of mem_protect.c that allows the execution of arbitrary code, leading to local escalation of privilege without requiring any additional execution privileges or user interaction."}, {'type': 'paragraph', 'content': "Technically, the vulnerability involves improper handling of Memory Tagging Extension (MTE) for non-protected guests under pKVM. The host's state of the HCR_EL2 register, which controls Memory Tagging, is trusted for guests. If the host is buggy or malicious, it can enable Memory Tagging for guests even when it is disabled on the host, creating a security risk."}, {'type': 'paragraph', 'content': "The vulnerability is mitigated by patches that enforce disabling Memory Tagging for all guests by default, regardless of the host's HCR_EL2 state, preventing unauthorized enabling of Memory Tagging and improper donation of non-memory regions to guests."}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to local escalation of privilege on affected Android devices running the ARM64 kernel with KVM enabled. An attacker with local access could exploit the logic error to execute arbitrary code with elevated privileges without needing additional execution rights or user interaction.
Such an escalation could allow an attacker to gain unauthorized control over the system, potentially compromising system integrity, accessing sensitive data, or bypassing security mechanisms.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "To mitigate CVE-2026-0038, apply the patches that fix the Android kernel's KVM implementation for the ARM64 architecture. These patches prevent the donation of non-memory regions to guest virtual machines and enforce disabling Memory Tagging Extension (MTE) for all guests by default, regardless of the host's state."}, {'type': 'list_item', 'content': "Update your Android kernel to include the patch that removes support for donating non-memory regions in the functions '__pkvm_host_donate_guest()' and '__pkvm_host_donate_sglist_guest()' in mem_protect.c."}, {'type': 'list_item', 'content': "Apply the patch that disables Memory Tagging for all guests by overriding the host's HCR_EL2 register state during trap activation, ensuring guests cannot enable Memory Tagging if the host does not support it."}, {'type': 'list_item', 'content': 'Monitor Android kernel updates and apply any upstream fixes that provide a cleaner solution to this vulnerability once available.'}] [1, 2, 3, 4]