{"id":"ASB-A-443123065","details":"In __pkvm_host_share_guest of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-443123065","CVE-2026-0028"],"modified":"2026-04-17T15:55:28.020024Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/986614312222d4b3bdcf16840cdb4abdaed8a42d"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/f3a4b4d4a1fe2aface7de74ac257b8705b6de472"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2026-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"severity":"Critical","vanir_signatures":[{"signature_version":"v1","digest":{"length":456,"function_hash":"140393265081442329449425783156025100417"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"guest_get_valid_pte"},"source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","signature_type":"Function","id":"ASB-A-443123065-033c1c84"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["44926279662848227298945946291225112521","44475587629505316290481058361178115207","312696659692566270947612793160483335197","63347437467375900414232445822442756376","15020113626905274813333059629451368897","291517487197934246825722481071241326196","178552814958078897454828864576715563622","21057071194608305058566548333226160158"]},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"source":"https://android.googlesource.com/kernel/common/+/986614312222d4b3bdcf16840cdb4abdaed8a42d","signature_type":"Line","id":"ASB-A-443123065-2a2f1029"},{"signature_version":"v1","digest":{"length":265,"function_hash":"224810733133245517766745445897791307863"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__guest_check_page_state_range"},"source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","signature_type":"Function","id":"ASB-A-443123065-4770adc9"},{"signature_version":"v1","digest":{"length":888,"function_hash":"140949518599310097241290695311343292039"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__check_host_shared_guest"},"source":"https://android.googlesource.com/kernel/common/+/f3a4b4d4a1fe2aface7de74ac257b8705b6de472","signature_type":"Function","id":"ASB-A-443123065-63c63fd2"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["270330813582972435842825277868865552248","168447780493469594233519959388700978034","294757987269085764511122189923270549889","251592362683850198349127019951702516402","265288599003728691136953214011276270544","169618891839342428373414438030236830383","225491944656961097582350286717486320342","15020113626905274813333059629451368897","306848634213538203798184025825774940070","65605068926131335295381250070305785100","242660080755050945565192417065352649796","38856485533434927858284127021139892603","91605049657459443963612922182375553364","94348289244060149100355456637783702542","48567883908640950188812079702849294404","222783720599958153769640741285542939394","173489169071988178767501145008183526800","117501579311764509242038553729906494002","32406168355031765626531870443972243146","14958644128609230618949323028030841853","337801667975793736694208535652622978499"]},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"source":"https://android.googlesource.com/kernel/common/+/f3a4b4d4a1fe2aface7de74ac257b8705b6de472","signature_type":"Line","id":"ASB-A-443123065-6889c9dc"},{"signature_version":"v1","digest":{"length":244,"function_hash":"14275683682963994283896238352472740213"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__host_check_page_state_range"},"source":"https://android.googlesource.com/kernel/common/+/986614312222d4b3bdcf16840cdb4abdaed8a42d","signature_type":"Function","id":"ASB-A-443123065-69fcfe24"},{"signature_version":"v1","digest":{"length":296,"function_hash":"271143831420277048443178721599003331657"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__guest_check_page_state_range"},"source":"https://android.googlesource.com/kernel/common/+/f3a4b4d4a1fe2aface7de74ac257b8705b6de472","signature_type":"Function","id":"ASB-A-443123065-74ee0d4d"},{"signature_version":"v1","digest":{"length":288,"function_hash":"180466545224193090028264095900979382567"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__guest_check_page_state_range"},"source":"https://android.googlesource.com/kernel/common/+/986614312222d4b3bdcf16840cdb4abdaed8a42d","signature_type":"Function","id":"ASB-A-443123065-9b5f5ec6"},{"signature_version":"v1","digest":{"length":488,"function_hash":"170680755638094553506667093797892125235"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"___host_check_page_state_range"},"source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","signature_type":"Function","id":"ASB-A-443123065-a907d5bb"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["270330813582972435842825277868865552248","41755106572300848336673352833570550237","154267648795344506484886981289337652728","235678429952762461034075733795936955721","268747802010080201098370348937141814481","233584329941717470082292767973561197320","61264962345220014820310662083950283111","96277611542100000118530570091945907898","15020113626905274813333059629451368897","306848634213538203798184025825774940070","65605068926131335295381250070305785100","242660080755050945565192417065352649796","299090722878015974131273378308896121852","238231049761437256322825198818663779035","235791909068065699509332621156496288269","33517853298061888229925141020800035291","83255801305818146573640562624568545059","14565447768208093161553499218307741283"]},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","signature_type":"Line","id":"ASB-A-443123065-b622da72"},{"signature_version":"v1","digest":{"length":784,"function_hash":"58003540130136357195230989543609452463"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"___host_check_page_state_range"},"source":"https://android.googlesource.com/kernel/common/+/f3a4b4d4a1fe2aface7de74ac257b8705b6de472","signature_type":"Function","id":"ASB-A-443123065-ca84c096"},{"signature_version":"v1","digest":{"length":264,"function_hash":"273050602761954097886820638526786646067"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__host_check_page_state_range"},"source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","signature_type":"Function","id":"ASB-A-443123065-cb457ab9"},{"signature_version":"v1","digest":{"length":1216,"function_hash":"225761543947095484688123447912240333445"},"deprecated":false,"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__pkvm_host_share_guest"},"source":"https://android.googlesource.com/kernel/common/+/f3a4b4d4a1fe2aface7de74ac257b8705b6de472","signature_type":"Function","id":"ASB-A-443123065-e38198e8"}],"types":["EoP"],"fixes":["https://android.googlesource.com/kernel/common/+/986614312222d4b3bdcf16840cdb4abdaed8a42d","https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","https://android.googlesource.com/kernel/common/+/f3a4b4d4a1fe2aface7de74ac257b8705b6de472"],"spl":"2026-03-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-443123065.json"}}],"schema_version":"1.7.5"}