{"id":"ASB-A-440584506","details":"In multiple functions of ffa.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-440584506","CVE-2026-0037"],"modified":"2026-04-16T15:14:46.093391Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/6c400c2e2e46f3a1117ce5da316ecdc1dbb1a031"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2026-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/6c400c2e2e46f3a1117ce5da316ecdc1dbb1a031"],"spl":"2026-03-05","vanir_signatures":[{"source":"https://android.googlesource.com/kernel/common/+/6c400c2e2e46f3a1117ce5da316ecdc1dbb1a031","id":"ASB-A-440584506-5a93fd6d","deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/ffa.c","function":"ffa_host_store_handle"},"signature_type":"Function","signature_version":"v1","digest":{"length":586,"function_hash":"34754192895805868191906683820398228588"}},{"source":"https://android.googlesource.com/kernel/common/+/6c400c2e2e46f3a1117ce5da316ecdc1dbb1a031","id":"ASB-A-440584506-8d3182a7","deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/ffa.c"},"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["309958638124952564743267600500747358625","45525927466984406429748276993963547607","11653997067889707893873282969351042328","180574919500815140738880605131144875687","309965566704068005093445272871121147598","315729318448359800524169121402437374178","226420688572529546715779431521695914827","112794990496460626819251869410753443305","198918122497370454225418113782850017360","192383364290772175224148373631938539170","259704639271937673044684940562344216698","156167124664056564335004978470698270853","208506889261601858359845550164221862638","299854963520145265089625191978377345284","295989182962820353223353387503386295152","327103383512219640394472124327385900605","81309089389129129104632812320450081260","293032476811429883072150516533968334681","293832492031998398836213863098434552345","243044552556953888481208359171775160950","49067536268364178992387309716890631923","107267826103938626124885011611567080718","54832729643187533036938867291144915620","311510429034424347898820082052665439008","71133778263422153511648368207738364260","237330604213999913461693621278676820382","238684923179165880251855721121401576476","105950759777016790187172780757562815918","115679755775019076033924081411545209862","304882055553927570116593625740582032612","248341103455901911367377025226388646279","153000964642516233685793603034403410639","185047693346433133082630112946018629283","304460929411720790788212246337222121877","246140933445036782128324392794879108500","134712725650853943327090673717032080756","222547913442663310744890489859296998888","191851370219201402215803449641041853169","33481638336688483599575813603136316564"],"threshold":0.9}},{"source":"https://android.googlesource.com/kernel/common/+/6c400c2e2e46f3a1117ce5da316ecdc1dbb1a031","id":"ASB-A-440584506-c99ca39d","deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/ffa.c","function":"__do_ffa_mem_xfer"},"signature_type":"Function","signature_version":"v1","digest":{"length":3585,"function_hash":"270785408193316304490795728822343011886"}}],"types":["EoP"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-440584506.json"}}],"schema_version":"1.7.5"}