{"id":"ASB-A-459479964","details":"In multiple functions of mem_protect.c, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-459479964","CVE-2026-0038"],"modified":"2026-04-16T15:14:46.093391Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/652b7b6bf9a62cc12c3a071bab4e92314f046739"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/f090d4b083a9ef4831f99e692c239542dd385cb4"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/7e1d15d29b7fe0f858926a8bcaf929b75db9e52a"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/b23a5bfa1fb8f9525e21f095a87486a2bd856321"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/513ea99ae008b81dd266bf6e361627c058ddde41"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/1bf8033b56a45165602f8116e0a0d2e767f1e8ae"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/d884f499434c224285c30d460681f1ce76a8cf1f"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2026-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-459479964-1785acba","target":{"file":"arch/arm64/kvm/hyp/include/hyp/switch.h"},"digest":{"line_hashes":["141493544575779251009795284625380576619","85284773167186548631365352080801133115","276113984912318799173108405012186550974"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/1bf8033b56a45165602f8116e0a0d2e767f1e8ae"},{"id":"ASB-A-459479964-2c373c57","target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__pkvm_host_donate_guest"},"digest":{"length":879,"function_hash":"330954540714767354495383917839935120092"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/d884f499434c224285c30d460681f1ce76a8cf1f"},{"id":"ASB-A-459479964-48b7bb07","target":{"file":"arch/arm64/kvm/hyp/include/hyp/switch.h","function":"___activate_traps"},"digest":{"length":289,"function_hash":"320091642157168254856659365051621970867"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/1bf8033b56a45165602f8116e0a0d2e767f1e8ae"},{"id":"ASB-A-459479964-5e6f5026","target":{"file":"arch/arm64/kvm/hyp/include/hyp/switch.h","function":"___activate_traps"},"digest":{"length":307,"function_hash":"271017566507590861802784962080756482397"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/b23a5bfa1fb8f9525e21f095a87486a2bd856321"},{"id":"ASB-A-459479964-8cfc16f1","target":{"file":"arch/arm64/kvm/hyp/include/hyp/switch.h"},"digest":{"line_hashes":["269756330032448537901270414351088033281","85284773167186548631365352080801133115","276113984912318799173108405012186550974"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/b23a5bfa1fb8f9525e21f095a87486a2bd856321"},{"id":"ASB-A-459479964-91289561","target":{"file":"arch/arm64/kvm/arm.c"},"digest":{"line_hashes":["236988563559189537519035642110889872426","229148890178075844274484247097144130694","105761220992910305830717795771877303986","26799471277481304780099663904346698943"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/7e1d15d29b7fe0f858926a8bcaf929b75db9e52a"},{"id":"ASB-A-459479964-9df14129","target":{"file":"arch/arm64/kvm/arm.c"},"digest":{"line_hashes":["236988563559189537519035642110889872426","308932647879667452829737570987306322030","180179273791410505688592567978568889436","147967488583419337551590130568359217731"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/652b7b6bf9a62cc12c3a071bab4e92314f046739"},{"id":"ASB-A-459479964-a450bb4b","target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__pkvm_host_donate_sglist_guest"},"digest":{"length":1323,"function_hash":"287142359475656402530583202153277875154"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/d884f499434c224285c30d460681f1ce76a8cf1f"},{"id":"ASB-A-459479964-a4d4ab3a","target":{"file":"arch/arm64/kvm/arm.c","function":"cpu_prepare_hyp_mode"},"digest":{"length":863,"function_hash":"304630760426190043995549604118980935612"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/652b7b6bf9a62cc12c3a071bab4e92314f046739"},{"id":"ASB-A-459479964-a6df5832","target":{"file":"arch/arm64/kvm/arm.c","function":"cpu_prepare_hyp_mode"},"digest":{"length":1115,"function_hash":"282545879002881570040477716396089763761"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/513ea99ae008b81dd266bf6e361627c058ddde41"},{"id":"ASB-A-459479964-a8d55d33","target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c","function":"__host_set_owner_guest"},"digest":{"length":449,"function_hash":"174377758408620052482093619364876174027"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/d884f499434c224285c30d460681f1ce76a8cf1f"},{"id":"ASB-A-459479964-b6e13b2b","target":{"file":"arch/arm64/kvm/arm.c"},"digest":{"line_hashes":["236988563559189537519035642110889872426","229148890178075844274484247097144130694","105761220992910305830717795771877303986","26799471277481304780099663904346698943"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/513ea99ae008b81dd266bf6e361627c058ddde41"},{"id":"ASB-A-459479964-c5819b02","target":{"file":"arch/arm64/kvm/arm.c","function":"cpu_prepare_hyp_mode"},"digest":{"length":1098,"function_hash":"148455231156901232607433984652278306282"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/7e1d15d29b7fe0f858926a8bcaf929b75db9e52a"},{"id":"ASB-A-459479964-d378d43b","target":{"file":"arch/arm64/kvm/hyp/include/hyp/switch.h","function":"___activate_traps"},"digest":{"length":307,"function_hash":"271017566507590861802784962080756482397"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/f090d4b083a9ef4831f99e692c239542dd385cb4"},{"id":"ASB-A-459479964-efb88e22","target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"digest":{"line_hashes":["130046018085051392414450126771360080024","319209242661449281219158194248935543430","84731492265535399205334050448566989734","181530630109788671659878935143154103342","225819931753187724971274331426526794543","299936046761399543501944200815227031573","322020498915043821244872253508755887953","142438106793154665310960168403458570332","139269121756751079861775453555798014527","271629652544606746017769357031623685839","168655028215865650100791076354040236512","140092686530833111453613911048245871042","133464711327352232158925551124132984461","241432134751587665911480757364573960505","14371009891233503998878972684901729867","294945633559902269341662231436888792930","337807546107552093483992282704554248830","153377509931536161837182679317110557689","20396822225622377178816585985623271815","24798699172789186443837978039163817898","149751057617248040109239273814010913996","198115197298423232860852438212585137632","328920446623930610486125190365941778717","125334101166212192120184947641717329080","269639077366187230122593757435070611334","306973608026366333059227625597416353554","210641888596784825569310271716763630563","199658496425620173021706973343760557012","161637938024022533784747303388255611772","109664379858610946340715233749790412271","70538175170065718107179187758631969076","36986081116199168602386241539146133759","249776795102747698254526194508991631255","226185966171083737843322690570539168297","246792842969216904268790952689456593864","190560254514578231814747201232179891526","76520579158944759821087113690038450965","272423096885976881823422207677046909357","37560185452920041706316066614631595689","228638860905346734823701240766777323974","171615919274301564036264506027196449032","231877194515473396725110231342557758448","32953678557792228079976280304996698736","165702068920084176476323748464154231750","139071785721332132945327005593821551747","189119817853419691885359517975012053592","219175717543667922630300279096937009695","257925747974022515280499025460522541172","4835485824180898340514491103107696242","319321365816842645763756605542747029844","114208460682356595628363542797946290440","19133485142454809642602607491045375536","250515189759306529237180071203812381205","339149956566018199541973450779334948215","313118986428480709213288633427706867859","51383429071358802009646127772559146050","136555397319116192127246471048494426874","169883666188444544866648319976852190082","339424532851788597967798252990803195318","336976297247558364233791910745031568978","161637938024022533784747303388255611772"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/d884f499434c224285c30d460681f1ce76a8cf1f"},{"id":"ASB-A-459479964-fc7b3681","target":{"file":"arch/arm64/kvm/hyp/include/hyp/switch.h"},"digest":{"line_hashes":["269756330032448537901270414351088033281","85284773167186548631365352080801133115","276113984912318799173108405012186550974"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/f090d4b083a9ef4831f99e692c239542dd385cb4"}],"spl":"2026-03-05","severity":"Critical","fixes":["https://android.googlesource.com/kernel/common/+/652b7b6bf9a62cc12c3a071bab4e92314f046739","https://android.googlesource.com/kernel/common/+/f090d4b083a9ef4831f99e692c239542dd385cb4","https://android.googlesource.com/kernel/common/+/7e1d15d29b7fe0f858926a8bcaf929b75db9e52a","https://android.googlesource.com/kernel/common/+/b23a5bfa1fb8f9525e21f095a87486a2bd856321","https://android.googlesource.com/kernel/common/+/513ea99ae008b81dd266bf6e361627c058ddde41","https://android.googlesource.com/kernel/common/+/1bf8033b56a45165602f8116e0a0d2e767f1e8ae","https://android.googlesource.com/kernel/common/+/d884f499434c224285c30d460681f1ce76a8cf1f"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-459479964.json"}}],"schema_version":"1.7.5"}