CVE-2026-0010
Published: 02 March 2026
Summary
CVE-2026-0010 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-0010 involves an out-of-bounds write vulnerability in the onTransact function of IDrmManagerService.cpp within Android, stemming from a missing bounds check. This flaw, tagged under CWE-787 (Out-of-bounds Write), was published on 2026-03-02 and assigned a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
The vulnerability enables local escalation of privilege without requiring additional execution privileges or user interaction. An attacker with local access to the device can exploit it with low attack complexity, leveraging the lack of bounds checking to overwrite memory beyond intended boundaries and elevate their privileges on the system.
Mitigation details are outlined in the Android security bulletin available at https://source.android.com/docs/security/bulletin/2026/2026-03-01.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9228
Vulnerability details
In onTransact of IDrmManagerService.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write enables local privilege escalation via direct exploitation of the vulnerable service without user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires bounds checking and input validation to directly prevent out-of-bounds writes in functions like onTransact.
Implements memory protection mechanisms such as address space layout randomization and stack guards to mitigate exploitation of out-of-bounds writes.
Mandates timely identification, testing, and deployment of patches to remediate the specific out-of-bounds write vulnerability.