CVE-2026-0029 Overview
CVE-2026-0029 is a local privilege escalation vulnerability in the Android kernel's protected KVM (pKVM) hypervisor component. The flaw resides in the __pkvm_init_vm function within pkvm.c, where a logic error allows memory corruption during virtual machine initialization. A local attacker can exploit the issue without user interaction and without requiring additional execution privileges. Google addressed the issue in the March 2026 Android Security Bulletin.
Critical Impact
Local attackers can corrupt hypervisor memory to escalate privileges on affected Android devices, potentially compromising the protected KVM trust boundary that isolates sensitive workloads from the host kernel.
Affected Products
- Google Android (kernel pKVM component)
- Android devices using protected KVM virtualization
- Android builds prior to the March 2026 security patch level
Discovery Timeline
- 2026-03-02 - CVE-2026-0029 published to NVD
- 2026-03-06 - Last updated in NVD database
Technical Details for CVE-2026-0029
Vulnerability Analysis
The vulnerability exists in __pkvm_init_vm, the routine responsible for initializing a guest virtual machine within the protected KVM hypervisor on ARM64 Android kernels. Protected KVM enforces isolation between guest VMs and the host kernel, ensuring the host cannot access guest memory. A logic error during VM initialization breaks an internal invariant, allowing memory corruption within the hypervisor's privileged execution context [CWE-269: Improper Privilege Management].
Because pKVM operates at exception level EL2, corruption inside this component undermines the trust boundary protecting confidential workloads. Successful exploitation grants the attacker elevated privileges on the device.
Root Cause
The root cause is a logic error in the VM initialization path within pkvm.c. The fix is distributed across three upstream commits: 42eff3b2, 749cf174, and ae242b26. These patches correct state validation and resource handling during pKVM VM setup to prevent the corruption condition.
Attack Vector
Exploitation requires local access to the target device. An attacker running unprivileged code on the Android host can trigger the vulnerable code path through pKVM-related interfaces. No user interaction is required. Because the issue affects hypervisor memory, successful exploitation can yield control over privileged kernel structures and bypass platform isolation guarantees.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.
// No verified exploitation code is publicly available.
// Refer to the Android kernel commits referenced below for fix details:
// 42eff3b2fd3a906ac8cdb6284d3265bc0856b56b
// 749cf1743eb22eff1851c68a533147e1af97a9bf
// ae242b26371808a221578b89c937568781719d2c
Detection Methods for CVE-2026-0029
Indicators of Compromise
- Unexpected kernel panics or hypervisor faults referencing pkvm or __pkvm_init_vm in kernel logs (dmesg, logcat)
- Anomalous creation of protected VMs by unprivileged user-space processes
- Crashes or stalls during pKVM guest initialization on devices that previously ran stable workloads
Detection Strategies
- Verify the Android security patch level on managed devices and flag any device below the March 2026 patch level
- Monitor mobile device management (MDM) telemetry for builds containing the unpatched kernel revisions referenced in the Android Security Bulletin
- Correlate kernel oops or hypervisor exception events with processes invoking KVM-related system calls
Monitoring Recommendations
- Enforce compliance policies requiring devices to apply the March 2026 Android security patch level
- Collect kernel logs from enterprise-managed Android fleets and alert on EL2 fault signatures
- Track Android Security Bulletin advisories to identify additional pKVM-related issues that may share root causes
How to Mitigate CVE-2026-0029
Immediate Actions Required
- Apply the March 2026 Android security patch level on all supported devices
- Confirm OEM and carrier delivery of the patched kernel build to managed fleets
- Restrict installation of untrusted applications that could provide local code execution to an attacker
Patch Information
Google published fixes in the Android Security Bulletin March 2026. The corrections are implemented across three Android Common Kernel commits: Android Kernel Commit 42eff3b2, Android Kernel Commit 749cf174, and Android Kernel Commit ae242b26. Device vendors must rebase their downstream kernels onto these commits and ship updated firmware to end users.
Workarounds
- No official workaround exists; applying the vendor patch is required
- Reduce attack surface by limiting sideloaded applications and enforcing Google Play Protect on managed devices
- Use enterprise mobility management policies to block devices that remain below the March 2026 patch level from accessing sensitive resources
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output should be 2026-03-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
