{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0027", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "state": "PUBLISHED", "assignerShortName": "google_android", "dateReserved": "2025-10-15T15:39:07.139Z", "datePublished": "2026-03-02T18:42:49.690Z", "dateUpdated": "2026-03-06T03:52:29.204Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Android", "vendor": "Google", "versions": [{"status": "affected", "version": "Android kernel"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.</p>"}], "value": "In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation."}], "problemTypes": [{"descriptions": [{"description": "Elevation of privilege", "lang": "en"}]}], "providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-03-06T03:52:29.204Z"}, "references": [{"url": "https://android.googlesource.com/kernel/common/+/3af14d2057f2f3df97472cef6b293113b020d1e6"}, {"url": "https://android.googlesource.com/kernel/common/+/a47e0e78ad5b4e153b40fc1c9def11991aa6ca0c"}, {"url": "https://android.googlesource.com/kernel/common/+/5161b3e75fb025bb4ebb11fbf1ac037021e56719"}, {"tags": ["vendor-advisory"], "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cvelib 1.7.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-0027"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T04:56:44.247Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0027", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T21:03:09.375348Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:04:41.815Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "Android kernel"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://android.googlesource.com/kernel/common/+/3af14d2057f2f3df97472cef6b293113b020d1e6"}, {"url": "https://android.googlesource.com/kernel/common/+/a47e0e78ad5b4e153b40fc1c9def11991aa6ca0c"}, {"url": "https://android.googlesource.com/kernel/common/+/5161b3e75fb025bb4ebb11fbf1ac037021e56719"}, {"url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.7.1"}, "descriptions": [{"lang": "en", "value": "In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.", "supportingMedia": [{"type": "text/html", "value": "<p>In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Elevation of privilege"}]}], "providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-03-06T03:52:29.204Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0027", "state": "PUBLISHED", "dateUpdated": "2026-03-06T03:52:29.204Z", "dateReserved": "2025-10-15T15:39:07.139Z", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "datePublished": "2026-03-02T18:42:49.690Z", "assignerShortName": "google_android"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation."}], "id": "CVE-2026-0027", "lastModified": "2026-03-06T04:16:05.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T19:16:30.897", "references": [{"source": "security@android.com", "tags": ["Patch", "Product"], "url": "https://android.googlesource.com/kernel/common/+/3af14d2057f2f3df97472cef6b293113b020d1e6"}, {"source": "security@android.com", "tags": ["Patch", "Product"], "url": "https://android.googlesource.com/kernel/common/+/5161b3e75fb025bb4ebb11fbf1ac037021e56719"}, {"source": "security@android.com", "tags": ["Patch", "Product"], "url": "https://android.googlesource.com/kernel/common/+/a47e0e78ad5b4e153b40fc1c9def11991aa6ca0c"}, {"source": "security@android.com", "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"}], "sourceIdentifier": "security@android.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android kernel"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Android", "source": "cna", "vendor": "Google"}, "product": "android", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-18T10:07:50.076224+00:00", "value": {"mitigation_remediation": ["Apply the latest Android security patch that fixes the smmu_detach_dev issue.", "If the patch cannot be applied immediately, restrict or disable device\u2011management commands that invoke SMMU detach from non\u2011privileged contexts.", "Consider disabling SMMU support when it is not required for device functionality to eliminate the attack surface."], "summary": {"action": "Patch Immediately", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All Android devices that run the Linux kernel subset incorporating the SMMU v3 driver. This applies to every Android release version before the issue is patched, regardless of vendor.", "description_and_impact": "The flaw resides in smmu_detach_dev within arm-smmu-v3.c, where a use\u2011after\u2011free can cause an out\u2011of\u2011bounds write. An attacker with local access can exploit this without any user interaction to raise privileges to system level, enabling full control over the device.", "risk_and_exploitability": "The CVSS score is 6.7, indicating moderate severity, and the EPSS is less than 1\u202f%, showing that public exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is local; the attacker does not need to interact with a user, so any locally\u2011present process can trigger the flaw."}}}}, "created": "2026-03-03T08:41:26.369438+00:00", "title": "Android Kernel SMMU Detach Device Out of Bounds Write Leading to Local Privilege Escalation", "updated": "2026-04-18T10:15:25.872780+00:00", "vendors": ["google", "google$PRODUCT$android"]}