{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0115", "assignerOrgId": "83238938-5644-45f0-9007-c0392bcf6222", "state": "PUBLISHED", "assignerShortName": "Google_Devices", "dateReserved": "2025-10-23T08:43:11.363Z", "datePublished": "2026-03-10T20:46:44.416Z", "dateUpdated": "2026-03-11T14:28:00.198Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83238938-5644-45f0-9007-c0392bcf6222", "shortName": "Google_Devices", "dateUpdated": "2026-03-10T21:08:53.608Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "Information disclosure"}]}], "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "Android kernel"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Trusted Execution Environment, there is a possible key leak due to side channel information disclosure. This could lead to physical information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In Trusted Execution Environment, there is a possible key leak due to side channel information disclosure. This could lead to physical information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.</p>"}]}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01", "tags": ["vendor-advisory"]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cvelib 1.7.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1300", "lang": "en", "description": "CWE-1300 Improper Protection of Physical Side Channels"}]}], "references": [{"url": "https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.1, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:24:52.277102Z", "id": "CVE-2026-0115", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:28:00.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "Android kernel"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.7.1"}, "descriptions": [{"lang": "en", "value": "In Trusted Execution Environment, there is a possible key leak due to side channel information disclosure. This could lead to physical information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.", "supportingMedia": [{"type": "text/html", "value": "<p>In Trusted Execution Environment, there is a possible key leak due to side channel information disclosure. This could lead to physical information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Information disclosure"}]}], "providerMetadata": {"orgId": "83238938-5644-45f0-9007-c0392bcf6222", "shortName": "Google_Devices", "dateUpdated": "2026-03-10T21:08:53.608Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.1, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0115", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:24:52.277102Z"}}}], "references": [{"url": "https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01", "tags": ["vendor-advisory"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1300", "description": "CWE-1300 Improper Protection of Physical Side Channels"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T14:26:14.450Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-0115", "state": "PUBLISHED", "dateUpdated": "2026-03-10T21:08:53.608Z", "dateReserved": "2025-10-23T08:43:11.363Z", "assignerOrgId": "83238938-5644-45f0-9007-c0392bcf6222", "datePublished": "2026-03-10T20:46:44.416Z", "assignerShortName": "Google_Devices"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Trusted Execution Environment, there is a possible key leak due to side channel information disclosure. This could lead to physical information disclosure with no additional execution privileges needed. User interaction is needed for exploitation."}, {"lang": "es", "value": "En Entorno de Ejecuci\u00f3n Confiable, existe una posible fuga de clave debido a la revelaci\u00f3n de informaci\u00f3n por canal lateral. Esto podr\u00eda conducir a la revelaci\u00f3n de informaci\u00f3n f\u00edsica sin necesidad de privilegios de ejecuci\u00f3n adicionales. Se requiere interacci\u00f3n del usuario para su explotaci\u00f3n."}], "id": "CVE-2026-0115", "lastModified": "2026-03-11T17:13:49.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-10T21:16:44.953", "references": [{"source": "dsap-vuln-management@google.com", "tags": ["Vendor Advisory"], "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01"}], "sourceIdentifier": "dsap-vuln-management@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1300"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android kernel"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Android", "source": "cna", "vendor": "Google"}, "product": "android", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T03:19:49.564624+00:00", "value": {"mitigation_remediation": ["Install the Android March\u202f2026 security patch that addresses the TEE key leakage", "Apply any available updates to the Trusted Execution Environment firmware and secure element components", "Enforce device access controls to limit physical proximity during sensitive operations"], "summary": {"action": "Update OS", "impact": "Information disclosure in Trusted Execution Environment"}, "threat_synthesis": {"affected_systems": "All Android devices that deploy the Android operating system with a Trusted Execution Environment, as referenced in the March\u202f2026 Android Security Bulletin. No specific version restrictions are listed; the vulnerability applies to devices covered by the bulletin at the time of disclosure.", "description_and_impact": "A side\u2011channel vulnerability in Android\u2019s Trusted Execution Environment can leak cryptographic keys, allowing an attacker to obtain sensitive physical information. The flaw does not require elevated privileges, and does not result in code execution; it simply exposes data that the TEE protects. The official description indicates that exploitation requires some user interaction, implying a local or physical attack context.", "risk_and_exploitability": "The CVSS score of 2.1 signals low severity, and the EPSS score of less than 1% suggests that exploitation is unlikely. The vulnerability is not cataloged in the CISA KEV list. Because the attack requires user interaction, an attacker would need local or physical proximity to the device to mount a side\u2011channel attack. While the risk to large populations is low, a determined adversary with in\u2011person access could potentially exploit the side channel to exfiltrate protected data."}}}}, "created": "2026-03-11T11:42:26.863340+00:00", "title": "Android TEE Side\u2011Channel Key Leak Allowing Physical Information Disclosure", "updated": "2026-04-16T03:30:06.062195+00:00", "vendors": ["google", "google$PRODUCT$android"]}