CVE-2026-0120

Critical

Published: 10 March 2026

Published

10 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

In modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs, directly addressing the incorrect bounds check that enables the out-of-bounds write in the modem.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protections such as non-executable memory and randomization, mitigating exploitation of the out-of-bounds write for remote code execution.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and patching of flaws, directly remediating the specific bounds check vulnerability in the Android modem as detailed in security bulletins.

Security SummaryAI

CVE-2026-0120 is a vulnerability in the modem component of Android systems, stemming from an incorrect bounds check that enables an out-of-bounds write (CWE-787). Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact without privileges or user interaction.

Remote attackers can exploit this vulnerability over the network with low attack complexity and no prerequisites, achieving remote code execution without additional execution privileges. No user interaction is required, allowing unauthenticated adversaries to potentially compromise affected devices fully.

The Android Security Bulletin for 2026-03-01 at https://source.android.com/docs/security/bulletin/2026/2026-03-01 and the Pixel-specific bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01 detail patches and mitigation guidance for addressing this issue in supported Android versions and Pixel devices.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote code execution via network exploitation of a public-facing modem component without privileges or user interaction, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://source.android.com/docs/security/bulletin/2026/2026-03-01
Vendor Advisory · dsap-vuln-management@google.com
https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0