CVE-2026-0038
Received Received - Intake
Logic Error in mem_protect.c Enables Local Privilege Escalation

Publication date: 2026-03-02

Last updated on: 2026-03-06

Assigner: Android (associated with Google Inc. or Open Handset Alliance)

Description
In multiple functions of mem_protect.c, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0038
EUVD
EUVD-2026-9250
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google android *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-0038 is a security vulnerability in the Android kernel's KVM (Kernel-based Virtual Machine) implementation for the ARM64 architecture. It arises from a logic error in multiple functions of mem_protect.c that allows the execution of arbitrary code, leading to local escalation of privilege without requiring any additional execution privileges or user interaction."}, {'type': 'paragraph', 'content': "Technically, the vulnerability involves improper handling of Memory Tagging Extension (MTE) for non-protected guests under pKVM. The host's state of the HCR_EL2 register, which controls Memory Tagging, is trusted for guests. If the host is buggy or malicious, it can enable Memory Tagging for guests even when it is disabled on the host, creating a security risk."}, {'type': 'paragraph', 'content': "The vulnerability is mitigated by patches that enforce disabling Memory Tagging for all guests by default, regardless of the host's HCR_EL2 state, preventing unauthorized enabling of Memory Tagging and improper donation of non-memory regions to guests."}] [1, 2, 3, 4]

Impact Analysis

This vulnerability can lead to local escalation of privilege on affected Android devices running the ARM64 kernel with KVM enabled. An attacker with local access could exploit the logic error to execute arbitrary code with elevated privileges without needing additional execution rights or user interaction.

Such an escalation could allow an attacker to gain unauthorized control over the system, potentially compromising system integrity, accessing sensitive data, or bypassing security mechanisms.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': "To mitigate CVE-2026-0038, apply the patches that fix the Android kernel's KVM implementation for the ARM64 architecture. These patches prevent the donation of non-memory regions to guest virtual machines and enforce disabling Memory Tagging Extension (MTE) for all guests by default, regardless of the host's state."}, {'type': 'list_item', 'content': "Update your Android kernel to include the patch that removes support for donating non-memory regions in the functions '__pkvm_host_donate_guest()' and '__pkvm_host_donate_sglist_guest()' in mem_protect.c."}, {'type': 'list_item', 'content': "Apply the patch that disables Memory Tagging for all guests by overriding the host's HCR_EL2 register state during trap activation, ensuring guests cannot enable Memory Tagging if the host does not support it."}, {'type': 'list_item', 'content': 'Monitor Android kernel updates and apply any upstream fixes that provide a cleaner solution to this vulnerability once available.'}] [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0038. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart