← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0029 · CWE-269 · Disclosed 2026-03-02

In __pkvm_init_vm of pkvm

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a trapdoor inside a locked machine room, not a broken front door

CVE-2026-0029 is a memory-corruption bug in Android's protected KVM hypervisor path, specifically __pkvm_init_vm in pkvm.c, caused by a logic error around pVM creation. Google fixed it in the March 2, 2026 Android Security Bulletin, and devices at security patch level 2026-03-05 or later are addressed. In practice, the affected population is narrower than "all Android" because the vulnerable path depends on AVF/pKVM support, protected-VM creation, and relevant common-kernel branches where Google landed the fix commits.

Google's HIGH 8.4 score is technically defensible in a lab because hypervisor memory corruption can be devastating on a single device. In enterprise reality, that label overshoots: the bug is local-only, sits behind Android's virtualization stack, and the VM APIs are restricted rather than broadly exposed to arbitrary third-party apps. That makes this a post-compromise, feature-gated EoP, not a fleet-wide emergency.

"Kernel memory corruption matters, but this one is boxed behind local code exec, AVF support, and restricted VM access"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get code running on the device

The attacker first needs execution on the target Android handset or tablet, typically via a malicious app, adb-enabled developer workflow, or some earlier exploit. This CVE is not an initial-access bug; it only becomes relevant after code is already running locally on-device.
Conditions required:
  • Local code execution on the Android device
  • A target device that is not already at security patch level 2026-03-05 or later
Where this breaks in practice:
  • Requires a prior compromise stage or physical/developer access
  • Managed enterprise Android fleets often block sideloading, keep Developer Options off, and monitor adb use
Detection/coverage: Network scanners will not see this. Mobile EDR/MTD, Play Protect, MDM app-control policies, and adb-use telemetry are the relevant controls.
STEP 02

Reach the AVF/pKVM VM-creation path

To touch __pkvm_init_vm, the attacker has to drive Android's virtualization stack using the AVF interfaces, such as VirtualMachineManager / android.system.virtualmachine APIs or equivalent tooling around VM creation. Google's own AVF documentation states these APIs are @SystemApi and require the restricted android.permission.MANAGE_VIRTUAL_MACHINE permission, which is not available to ordinary third-party apps.
Conditions required:
  • Device supports Android Virtualization Framework
  • Access to MANAGE_VIRTUAL_MACHINE or equivalent privileged/preinstalled app context
Where this breaks in practice:
  • Third-party apps do not get these APIs by default
  • On Android 14 this permission was limited to privileged apps; on Android 15 it is available to preinstalled apps, not arbitrary downloaded apps
Detection/coverage: Audit for apps holding android.permission.MANAGE_VIRTUAL_MACHINE, especially OEM, enterprise, and preloaded software. Standard vuln scanners usually only report patch level here.
STEP 03

Trigger malformed protected-VM initialization

The bug is in the pKVM initialization flow for a protected VM. Google's patch notes describe a hypervisor crash path when a host-side PGD allocation is undersized or misaligned, and the fix adds early alignment checks before pVM creation proceeds.
Conditions required:
  • ARM64 device with protected VMs supported
  • pKVM enabled and protected-VM creation actually reachable
Where this breaks in practice:
  • AVF is limited to ARM64 for protected VMs; Google's docs note x86_64 support is non-protected only
  • Some supported devices or builds ship AVF/pKVM disabled or not enabled by default
Detection/coverage: Look for virtualization service failures, kernel crash traces, or abnormal VM start failures in logcat, dmesg, and bugreports. There is no reliable remote scanner signature.
STEP 04

Convert corruption into local EoP

If the attacker can shape the corruption beyond a crash, they may escalate privileges on that single device. That is the high-impact part of the vendor assessment, but public evidence so far points more clearly to a dangerous crash condition than to a mature, repeatable exploit chain.
Conditions required:
  • A reliable exploitation primitive from the memory corruption
  • Bypasses for normal Android hardening and device-specific variability
Where this breaks in practice:
  • No public exploit, Metasploit module, or mainstream GitHub PoC found
  • Blast radius is one device at a time, not a remotely reachable fleet service
Detection/coverage: Behavioral detection is mostly indirect: crash loops, virtualization service anomalies, unusual privileged process behavior, or forensic signs of local exploit staging.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found for CVE-2026-0029. Google's March 2026 bulletin called out CVE-2026-21385 for limited targeted exploitation, not this CVE.
Public PoC availabilityNo public GitHub, Exploit-DB, or Metasploit PoC located in authoritative search results. That materially lowers near-term operational risk.
EPSS0.00007 from the user-supplied intel block — effectively negligible predicted exploitation probability.
KEV statusNot listed in CISA's Known Exploited Vulnerabilities Catalog.
CVSS vector reality checkCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H correctly reflects local attack vector, but it still assumes the vulnerable path is broadly reachable once local code exists. In reality, AVF/pKVM and restricted VM permissions sharply narrow reachability.
Affected scopeAndroid devices before security patch level 2026-03-05 where the pKVM/AVF protected-VM path is present and usable. This is not a generic internet-facing Android flaw.
Fixed versions / backportsGoogle states security patch levels 2026-03-05 or later address all issues in the March 2026 bulletin. NVD references patch commits in Android common-kernel branches: ae242b2637, 42eff3b2fd, and 749cf1743e.
Exposure / scanning dataShodan/Censys/FOFA-style exposure counting is largely not applicable because this is a local hypervisor path, not a remotely fingerprintable service. The practical inventory question is which managed devices support AVF/pKVM and expose VM creation to trusted apps.
Feature gateGoogle's AVF docs say the virtualization APIs are @SystemApi and require restricted android.permission.MANAGE_VIRTUAL_MACHINE; protected VMs are an ARM64 capability, while x86_64 support is non-protected only.
Disclosure / reporterDisclosed 2026-03-02. The fix commit attributes the bug report to Martijn Bogaard (Google).
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.3/10)

The decisive factor is reachability friction: this is a local-only bug that also depends on AVF/pKVM support and access to restricted VM-creation APIs. That makes it a serious single-device post-compromise escalation path, but not the kind of broad fleet emergency implied by a generic HIGH kernel-memory-corruption label.

HIGH Attacker-position requirement is post-initial-access and local-only
HIGH AVF permission gate materially narrows real-world reachability
MEDIUM Exploit reliability beyond crash behavior

Why this verdict

  • Start at vendor 8.4: hypervisor-adjacent memory corruption can absolutely be catastrophic on one device if exploited cleanly.
  • Down for attacker position: the bug requires local code execution, which means it is not an initial-access problem and already assumes a prior compromise stage.
  • Down for exposure population: only devices with AVF/pKVM protected-VM support can reach this path; this is a subset of Android, not the full handset estate.
  • Down for permission gating: Google's AVF APIs require restricted MANAGE_VIRTUAL_MACHINE; ordinary third-party apps do not get that by default.
  • Keep it above LOW: if the prerequisites line up, the impact is still kernel/hypervisor-level privilege escalation on a managed endpoint.

Why not higher?

It is not higher because every prerequisite compounds downward pressure: local code execution, AVF support, protected-VM support, and restricted VM permissions. That stack of assumptions means most real devices and most malicious apps will never reach the vulnerable function, even before you ask whether the memory corruption is reliably weaponizable.

Why not lower?

It is not lower because the underlying defect sits in a highly privileged kernel/hypervisor path and can plausibly become full device compromise where reachable. Enterprises that deploy preinstalled virtualization-aware apps, custom AVF workloads, or developer-enabled Android fleets still have a meaningful risk concentration.

05 · Compensating Control

What to do — in priority order.

  1. Audit VM-creation permission holders — Enumerate apps holding android.permission.MANAGE_VIRTUAL_MACHINE and remove or constrain any that are not explicitly required. For a MEDIUM verdict there is no noisgate mitigation SLA, but do this during normal hardening work so you reduce the reachable population before patch completion.
  2. Prioritize AVF-capable cohorts — Segment managed Android devices by AVF/pKVM capability and Android security patch level, then focus remediation on ARM64 devices with virtualization support and preinstalled enterprise/OEM apps that can create VMs. This narrows the actual vulnerable population instead of treating the whole mobile fleet as equally exposed.
  3. Keep Developer Options and adb tightly controlled — Because AVF permissions can be granted for development workflows, lock down adb authorization, USB debugging, and lab-only build practices on production devices. For MEDIUM, there is no mitigation SLA — go straight to the patching program while keeping developer pathways out of production.
  4. Block unapproved sideloading — This CVE still needs local code on the device first, so app allowlisting, enterprise app stores, Play Protect, and sideload restrictions remain valuable upstream controls. They do not fix the bug, but they reduce the chance an attacker ever reaches the pKVM path.
What doesn't work
  • A WAF, IPS, or email gateway does not help; this is not a remotely exposed web or protocol flaw.
  • Pure network segmentation does not solve a local Android kernel/hypervisor bug once code is already on-device.
  • Relying on Play Protect alone is not enough if your own preinstalled or privileged app can legitimately create VMs; the permission model is the real reachability gate.
06 · Verification

Crowdsourced verification payload.

Run this on the target Android device via adb shell, or push it to /data/local/tmp and invoke it as adb shell sh /data/local/tmp/check-cve-2026-0029.sh. It needs only normal shell access; no root is required. Example: adb shell sh /data/local/tmp/check-cve-2026-0029.sh.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/system/bin/sh
# check-cve-2026-0029.sh
# Determine likely exposure to CVE-2026-0029 on an Android device.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

TARGET_SPL="2026-03-05"

get_spl() {
  getprop ro.build.version.security_patch 2>/dev/null
}

get_arch64() {
  getprop ro.product.cpu.abilist64 2>/dev/null
}

has_avf_feature() {
  cmd package list features 2>/dev/null | grep -q 'android.software.virtualization_framework'
}

has_virt_apex() {
  pm path com.android.virt >/dev/null 2>&1
}

version_ge() {
  # Compares YYYY-MM-DD strings lexicographically.
  # Returns 0 if $1 >= $2
  [ "$1" = "$2" ] && return 0
  [ "$1" \> "$2" ] && return 0
  return 1
}

SPL="$(get_spl)"
ARCH64="$(get_arch64)"
AVF=0
VIRT_APEX=0

if has_avf_feature; then
  AVF=1
fi

if has_virt_apex; then
  VIRT_APEX=1
fi

if [ -z "$SPL" ]; then
  echo "UNKNOWN: unable to read Android security patch level"
  exit 2
fi

# Patched by Android SPL regardless of applicability.
if version_ge "$SPL" "$TARGET_SPL"; then
  echo "PATCHED: security patch level $SPL >= $TARGET_SPL"
  exit 0
fi

# Below patch level: now check whether the vulnerable path is plausibly reachable.
case "$ARCH64" in
  *arm64*) ARM64=1 ;;
  *) ARM64=0 ;;
esac

if [ "$ARM64" -eq 0 ]; then
  echo "PATCHED: device is not ARM64-capable for protected VM path (SPL $SPL is old, but pKVM protected-VM exposure is unlikely)"
  exit 0
fi

if [ "$AVF" -eq 1 ] || [ "$VIRT_APEX" -eq 1 ]; then
  echo "VULNERABLE: SPL $SPL < $TARGET_SPL and device appears to support Android virtualization"
  exit 1
fi

echo "UNKNOWN: SPL $SPL is older than $TARGET_SPL, but AVF/pKVM support could not be confirmed from shell"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not treat this like a mobile fire drill across every Android asset. First, inventory AVF-capable ARM64 devices and any preinstalled or enterprise apps with MANAGE_VIRTUAL_MACHINE; then patch those devices to Android security patch level 2026-03-05 or later inside the noisgate remediation SLA for MEDIUM issues, which is ≤ 365 days. There is no noisgate mitigation SLA — go straight to the 365-day remediation window, but you should still use normal hardening this week to reduce reachability by stripping unnecessary VM permissions, keeping adb/developer workflows out of production, and prioritizing the smaller virtualization-capable cohort instead of the full fleet.

Sources

  1. Android Security Bulletin—March 2026
  2. NVD entry for CVE-2026-0029
  3. Android common-kernel patch commit ae242b26371808a221578b89c937568781719d2c
  4. Android common-kernel patch commit 42eff3b2fd3a906ac8cdb6284d3265bc0856b56b
  5. Android common-kernel patch commit 749cf1743eb22eff1851c68a533147e1af97a9bf
  6. Android Virtualization Framework API README
  7. AVF architecture documentation
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.