CVE-2026-0110
Published: 10 March 2026
Description
In MM_DATA_IND of cn_NrSmMsgHdlrFromMM.cpp, there is a possible EoP due to memory corruption. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Mitigating Controls (NIST 800-53 r5)AI
SI-2 ensures timely remediation of the specific memory corruption flaw in MM_DATA_IND via patching as detailed in the Android Security Bulletin.
SI-16 implements memory protection mechanisms like ASLR and DEP to directly prevent exploitation of the memory corruption leading to remote EoP.
SI-10 enforces input validation on MM_DATA_IND messages to mitigate malformed data triggering the CWE-120 buffer copy without bounds check vulnerability.
Security SummaryAI
CVE-2026-0110 is a memory corruption vulnerability in the MM_DATA_IND function of cn_NrSmMsgHdlrFromMM.cpp, enabling escalation of privilege (EoP). Classified under CWE-120, it affects Android components, as documented in the Android Security Bulletin.
The vulnerability carries a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. Remote attackers require no privileges or user interaction to exploit it, achieving remote EoP without additional execution privileges needed.
The Android Security Bulletin for March 2026 (https://source.android.com/docs/security/bulletin/2026/2026-03-01) and the Pixel update bulletin (https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01) detail patches to mitigate the issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote memory corruption enabling privilege escalation (EoP) with no privileges required, directly mapping to Exploitation for Privilege Escalation (T1068).