Description
In Trusted Execution Environment, there is a possible key leak due to side channel information disclosure. This could lead to physical information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Published: 2026-03-10
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure in Trusted Execution Environment
Action: Update OS
AI Analysis

Impact

A side‑channel vulnerability in Android’s Trusted Execution Environment can leak cryptographic keys, allowing an attacker to obtain sensitive physical information. The flaw does not require elevated privileges, and does not result in code execution; it simply exposes data that the TEE protects. The official description indicates that exploitation requires some user interaction, implying a local or physical attack context.

Affected Systems

All Android devices that deploy the Android operating system with a Trusted Execution Environment, as referenced in the March 2026 Android Security Bulletin. No specific version restrictions are listed; the vulnerability applies to devices covered by the bulletin at the time of disclosure.

Risk and Exploitability

The CVSS score of 2.1 signals low severity, and the EPSS score of less than 1% suggests that exploitation is unlikely. The vulnerability is not cataloged in the CISA KEV list. Because the attack requires user interaction, an attacker would need local or physical proximity to the device to mount a side‑channel attack. While the risk to large populations is low, a determined adversary with in‑person access could potentially exploit the side channel to exfiltrate protected data.

Generated by OpenCVE AI on April 16, 2026 at 03:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Android March 2026 security patch that addresses the TEE key leakage
  • Apply any available updates to the Trusted Execution Environment firmware and secure element components
  • Enforce device access controls to limit physical proximity during sensitive operations

Generated by OpenCVE AI on April 16, 2026 at 03:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Title Android TEE Side‑Channel Key Leak Allowing Physical Information Disclosure

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1300
References
Metrics cvssV3_1

{'score': 2.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 10 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description In Trusted Execution Environment, there is a possible key leak due to side channel information disclosure. This could lead to physical information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-03-11T14:28:00.198Z

Reserved: 2025-10-23T08:43:11.363Z

Link: CVE-2026-0115

cve-icon Vulnrichment

Updated: 2026-03-11T14:26:14.450Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:44.953

Modified: 2026-03-11T17:13:49.327

Link: CVE-2026-0115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses