Cyber Resilience

CVE-2026-0037

High

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 4.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0037 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0037 is a memory corruption vulnerability stemming from a logic error in multiple functions of ffa.c within the Android kernel. Classified under CWE-787 (Out-of-bounds Write), it enables local escalation of privilege without requiring additional execution privileges or user interaction. The issue received a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) upon publication on March 2, 2026.

A local attacker can exploit this vulnerability with low complexity and no privileges, potentially achieving high confidentiality, integrity, and availability impacts through privilege escalation. No user interaction is needed, making it accessible to any process running on the device.

The Android Security Bulletin for March 2026 addresses this vulnerability, with a patch available in the kernel common repository at commit 6c400c2e2e46f3a1117ce5da316ecdc1dbb1a031. Security practitioners should apply these updates to mitigate the risk.

EU & UK References

Vulnerability details

In multiple functions of ffa.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel memory corruption (out-of-bounds write) directly enables local privilege escalation without privileges or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0117Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2024-53833Same product: Google Android
CVE-2026-0123Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2024-43097Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-43077Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific logic error causing memory corruption in ffa.c by requiring identification, reporting, and correction via the available kernel patch.

prevent

Implements security safeguards like ASLR, stack canaries, and non-executable memory to prevent exploitation of the out-of-bounds write vulnerability.

prevent

Establishes and enforces kernel configuration settings that enable memory protections and hardening features to mitigate the privilege escalation risk from this flaw.

References