{"id":"ASB-A-443668075","details":"In __pkvm_init_vm of pkvm.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-443668075","CVE-2026-0029"],"modified":"2026-04-17T15:55:28.020024Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/ae242b26371808a221578b89c937568781719d2c"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/42eff3b2fd3a906ac8cdb6284d3265bc0856b56b"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/749cf1743eb22eff1851c68a533147e1af97a9bf"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2026-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/ae242b26371808a221578b89c937568781719d2c","https://android.googlesource.com/kernel/common/+/42eff3b2fd3a906ac8cdb6284d3265bc0856b56b","https://android.googlesource.com/kernel/common/+/749cf1743eb22eff1851c68a533147e1af97a9bf"],"vanir_signatures":[{"signature_version":"v1","digest":{"length":1323,"function_hash":"152061176676912564967588993662256565131"},"target":{"function":"__pkvm_init_vm","file":"arch/arm64/kvm/hyp/nvhe/pkvm.c"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/749cf1743eb22eff1851c68a533147e1af97a9bf","id":"ASB-A-443668075-350139b4"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["299012250674758203345789097958333677862","315293476878049035998153523304139290327","271263212807650943796179841566384571579","62308010140200245065792117709481948918"]},"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/749cf1743eb22eff1851c68a533147e1af97a9bf","id":"ASB-A-443668075-484c221c"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["299012250674758203345789097958333677862","315293476878049035998153523304139290327","271263212807650943796179841566384571579","62308010140200245065792117709481948918"]},"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/42eff3b2fd3a906ac8cdb6284d3265bc0856b56b","id":"ASB-A-443668075-4a6dbd4a"},{"signature_version":"v1","digest":{"length":219,"function_hash":"229334516896925076192725713039311228210"},"target":{"function":"guest_s2_zalloc_pages_exact","file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/749cf1743eb22eff1851c68a533147e1af97a9bf","id":"ASB-A-443668075-5202ce36"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["180873601798706501084966796765009097370","243944970726779041885803300082899728928","180836427021977815630184846350021618481","227839573386164085119631898137147681590"]},"target":{"file":"arch/arm64/kvm/hyp/nvhe/pkvm.c"},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/42eff3b2fd3a906ac8cdb6284d3265bc0856b56b","id":"ASB-A-443668075-5879dda4"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["331547901651569663552211597892856528013","175577852943395756318284371700711363698","184212635145877519056997650065023996923","273474119879800844398921903320705294370"]},"target":{"file":"arch/arm64/kvm/hyp/nvhe/pkvm.c"},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/749cf1743eb22eff1851c68a533147e1af97a9bf","id":"ASB-A-443668075-85ddd271"},{"signature_version":"v1","digest":{"length":219,"function_hash":"229334516896925076192725713039311228210"},"target":{"function":"guest_s2_zalloc_pages_exact","file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/42eff3b2fd3a906ac8cdb6284d3265bc0856b56b","id":"ASB-A-443668075-ad16dca8"},{"signature_version":"v1","digest":{"length":219,"function_hash":"229334516896925076192725713039311228210"},"target":{"function":"guest_s2_zalloc_pages_exact","file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/ae242b26371808a221578b89c937568781719d2c","id":"ASB-A-443668075-b469e349"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["66884226558480240002182492700455406174","125099735616185686504868658816147993864","218649324270245463169039015737595884936","36464640937342043812216371050695440141"]},"target":{"file":"arch/arm64/kvm/hyp/nvhe/pkvm.c"},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/ae242b26371808a221578b89c937568781719d2c","id":"ASB-A-443668075-c8756611"},{"signature_version":"v1","digest":{"length":1280,"function_hash":"288658818162809701058574826751871468785"},"target":{"function":"__pkvm_init_vm","file":"arch/arm64/kvm/hyp/nvhe/pkvm.c"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/ae242b26371808a221578b89c937568781719d2c","id":"ASB-A-443668075-dc297b1b"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["299012250674758203345789097958333677862","315293476878049035998153523304139290327","271263212807650943796179841566384571579","62308010140200245065792117709481948918"]},"target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/ae242b26371808a221578b89c937568781719d2c","id":"ASB-A-443668075-e510bf26"},{"signature_version":"v1","digest":{"length":1248,"function_hash":"256453628095604252572017021978221899564"},"target":{"function":"__pkvm_init_vm","file":"arch/arm64/kvm/hyp/nvhe/pkvm.c"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/42eff3b2fd3a906ac8cdb6284d3265bc0856b56b","id":"ASB-A-443668075-edc603e7"}],"severity":"High","spl":"2026-03-05","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-443668075.json"}}],"schema_version":"1.7.5"}