CVE-2026-0107
Published: 10 March 2026
Summary
CVE-2026-0107 is a high-severity Confused Deputy (CWE-441) vulnerability in Google Android. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through applying vendor patches directly eliminates the confused deputy vulnerability in gmc_ddr_handle_mba_mr_req as recommended in the Android Security Bulletin.
A reference monitor mediates all access requests to enforce authorizations, preventing the gmc_ddr_handle_mba_mr_req function from being tricked into unauthorized privilege escalation.
Enforcing least privilege on system components like the DDR handler limits the impact of any successful confused deputy exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local confused deputy vulnerability directly enables exploitation for privilege escalation to arbitrary code execution from an unprivileged context.
NVD Description
In gmc_ddr_handle_mba_mr_req of gmc_mba_ddr.c, there is a possible escalation of privileges due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Deeper analysisAI
CVE-2026-0107 is a vulnerability in the gmc_ddr_handle_mba_mr_req function within gmc_mba_ddr.c, stemming from a confused deputy issue (CWE-441) that enables local escalation of privileges. It affects Android devices, as documented in the Android Security Bulletin for March 2026 and the corresponding Pixel update bulletin. The issue requires no additional execution privileges for exploitation and has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
A local attacker can exploit this vulnerability without user interaction or elevated privileges, leveraging low-complexity attack vectors to achieve arbitrary code execution with escalated privileges. Successful exploitation grants high-level access to confidentiality, integrity, and availability, potentially allowing full system compromise from an unprivileged local context.
The Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-03-01) and Pixel bulletin (https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01) provide patches to address this issue, recommending that users apply the March 2026 security updates to mitigate the risk.
Details
- CWE(s)