CVE-2026-0037 – Android Security Bulletin — March 2026 Security Update

The March 2026 Android Security Bulletin addresses 129 vulnerabilities across Android’s core platform, including Framework, System, Kernel, and virtualization subsystems. The most severe issues fixed this month include multiple critical remote execution, privilege escalation, and isolation escape flaws that pose significant risks to device integrity and data security.

Below are the notable critical vulnerabilities:

• CVE-2026-0006 (Critical, CVSS 9.8) — A remote code execution flaw in the System component due to a heap buffer overflow. No privileges or user interaction are required to exploit.
• CVE-2026-0047 (Critical, CVSS 9.8) — A local privilege escalation issue in the Android Framework that allows an app to gain elevated rights without additional execution privileges.
• CVE-2025-48631 (Critical, CVSS 9.8) — A denial-of-service and potential code execution vulnerability in a core System service that could destabilize or crash the device remotely.
• CVE-2024-43859 (Critical, CVSS 9.8) — A kernel privilege escalation vulnerability in the Flash-Friendly File System (F2FS) that could let attackers gain elevated system control.
• CVE-2026-0037 (Critical, CVSS 9.8) — A kernel virtualization isolation break affecting pKVM, enabling potential guest-to-host privilege escalation.
• CVE-2026-0038 (Critical, CVSS 9.8) — Another virtualization/guest escape vulnerability that undermines isolation boundaries within the kernel’s VM infrastructure.

In addition to these critical items, the March bulletin includes numerous high-severity privilege escalation and information disclosure fixes, as well as patches for vendor-specific components.

Google has released the March 2026 patch levels (2026-03-01 and 2026-03-05) that incorporate these fixes. OEMs and carriers are rolling out corresponding updates to supported devices. Installing these updates promptly is essential to protect against active and potential exploitation.