CVE-2026-0010

High

Published: 02 March 2026

Published

02 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0000 0.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0010 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires bounds checking and input validation to directly prevent out-of-bounds writes in functions like onTransact.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as address space layout randomization and stack guards to mitigate exploitation of out-of-bounds writes.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, testing, and deployment of patches to remediate the specific out-of-bounds write vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Out-of-bounds write enables local privilege escalation via direct exploitation of the vulnerable service without user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In onTransact of IDrmManagerService.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2026-0010 involves an out-of-bounds write vulnerability in the onTransact function of IDrmManagerService.cpp within Android, stemming from a missing bounds check. This flaw, tagged under CWE-787 (Out-of-bounds Write), was published on 2026-03-02 and assigned a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability enables local escalation of privilege without requiring additional execution privileges or user interaction. An attacker with local access to the device can exploit it with low attack complexity, leveraging the lack of bounds checking to overwrite memory beyond intended boundaries and elevate their privileges on the system.

Mitigation details are outlined in the Android security bulletin available at https://source.android.com/docs/security/bulletin/2026/2026-03-01.

Details

CWE(s): CWE-787

Affected Products

google

android

14.0, 15.0, 16.0

CVEs Like This One

CVE-2024-53838Same product: Google Android

CVE-2026-0123Same product: Google Android

CVE-2024-53837Same product: Google Android

CVE-2026-0124Same product: Google Android

CVE-2024-49745Same product: Google Android

CVE-2026-0117Same product: Google Android

CVE-2026-0037Same product: Google Android

CVE-2025-32313Same product: Google Android

CVE-2024-49738Same product: Google Android

CVE-2024-53833Same product: Google Android

References

https://source.android.com/docs/security/bulletin/2026/2026-03-01
security@android.com