Cyber Posture

CVE-2026-0037

High

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0000 0.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0037 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific logic error causing memory corruption in ffa.c by requiring identification, reporting, and correction via the available kernel patch.

SI-16 Memory Protection good match
prevent

Implements security safeguards like ASLR, stack canaries, and non-executable memory to prevent exploitation of the out-of-bounds write vulnerability.

CM-6 Configuration Settings partial match
prevent

Establishes and enforces kernel configuration settings that enable memory protections and hardening features to mitigate the privilege escalation risk from this flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Kernel memory corruption (out-of-bounds write) directly enables local privilege escalation without privileges or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In multiple functions of ffa.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2026-0037 is a memory corruption vulnerability stemming from a logic error in multiple functions of ffa.c within the Android kernel. Classified under CWE-787 (Out-of-bounds Write), it enables local escalation of privilege without requiring additional execution privileges or user interaction. The issue received a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) upon publication on March 2, 2026.

A local attacker can exploit this vulnerability with low complexity and no privileges, potentially achieving high confidentiality, integrity, and availability impacts through privilege escalation. No user interaction is needed, making it accessible to any process running on the device.

The Android Security Bulletin for March 2026 addresses this vulnerability, with a patch available in the kernel common repository at commit 6c400c2e2e46f3a1117ce5da316ecdc1dbb1a031. Security practitioners should apply these updates to mitigate the risk.

Details

CWE(s)
CWE-787

Affected Products

google
android
all versions

CVEs Like This One

CVE-2026-0010Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2026-0123Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2026-0117Same product: Google Android
CVE-2025-32313Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-53833Same product: Google Android

References