Description
In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The flaw resides in smmu_detach_dev within arm-smmu-v3.c, where a use‑after‑free can cause an out‑of‑bounds write. An attacker with local access can exploit this without any user interaction to raise privileges to system level, enabling full control over the device.

Affected Systems

All Android devices that run the Linux kernel subset incorporating the SMMU v3 driver. This applies to every Android release version before the issue is patched, regardless of vendor.

Risk and Exploitability

The CVSS score is 6.7, indicating moderate severity, and the EPSS is less than 1 %, showing that public exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is local; the attacker does not need to interact with a user, so any locally‑present process can trigger the flaw.

Generated by OpenCVE AI on April 18, 2026 at 10:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch that fixes the smmu_detach_dev issue.
  • If the patch cannot be applied immediately, restrict or disable device‑management commands that invoke SMMU detach from non‑privileged contexts.
  • Consider disabling SMMU support when it is not required for device functionality to eliminate the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 10:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Title Android Kernel SMMU Detach Device Out of Bounds Write Leading to Local Privilege Escalation

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:52:29.204Z

Reserved: 2025-10-15T15:39:07.139Z

Link: CVE-2026-0027

cve-icon Vulnrichment

Updated: 2026-03-02T21:04:41.815Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:30.897

Modified: 2026-03-06T04:16:05.430

Link: CVE-2026-0027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses