Description
In multiple functions of mem_protect.c, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

In the Android kernel source file mem_protect.c, a logic error permits an attacker to execute arbitrary code at the kernel level, enabling local privilege escalation. The flaw can be triggered without any user interaction and does not require additional execution privileges, allowing a standard user to gain kernel privileges. The vulnerability is a classic example of improper privilege management within kernel code, leading to potential compromise of system integrity and confidentiality.

Affected Systems

Android operating systems that include the affected kernel version, specifically devices running the Google Android kernel before the immediately released patch. Exact firmware versions are not disclosed in the advisory, so all devices running kernel builds that incorporate the faulty mem_protect.c functions are considered vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 8.4 reflects high severity, and although the EPSS score is currently under 1%, which indicates a low probability of exploitation in the immediate future, the vulnerability remains critical due to the lack of user interaction and the ability to elevate privileges to kernel level. The vulnerability is not listed in the CISA KEV catalog at this time, but adversaries with local access to a device could exploit the flaw with minimal effort, especially if no mitigating controls are in place.

Generated by OpenCVE AI on April 17, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and install the Android security update that addresses the mem_protect.c logic flaw as published in the March 2026 security bulletin
  • If a device cannot be updated, limit local user accounts to non-administrative roles and isolate critical services using SELinux or other mandatory access controls
  • Restrict the loading of unsigned kernel modules and consider disabling unnecessary kernel modules to reduce the attack surface

Generated by OpenCVE AI on April 17, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In multiple functions of mem_protect.c, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:58:08.209Z

Reserved: 2025-10-15T15:39:25.171Z

Link: CVE-2026-0038

cve-icon Vulnrichment

Updated: 2026-03-02T20:17:58.480Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:31.863

Modified: 2026-03-06T04:16:06.970

Link: CVE-2026-0038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses