Cyber Resilience

CVE-2026-0107

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0107 is a high-severity Confused Deputy (CWE-441) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0107 is a vulnerability in the gmc_ddr_handle_mba_mr_req function within gmc_mba_ddr.c, stemming from a confused deputy issue (CWE-441) that enables local escalation of privileges. It affects Android devices, as documented in the Android Security Bulletin for March 2026 and the corresponding Pixel update bulletin. The issue requires no additional execution privileges for exploitation and has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

A local attacker can exploit this vulnerability without user interaction or elevated privileges, leveraging low-complexity attack vectors to achieve arbitrary code execution with escalated privileges. Successful exploitation grants high-level access to confidentiality, integrity, and availability, potentially allowing full system compromise from an unprivileged local context.

The Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-03-01) and Pixel bulletin (https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01) provide patches to address this issue, recommending that users apply the March 2026 security updates to mitigate the risk.

EU & UK References

Vulnerability details

In gmc_ddr_handle_mba_mr_req of gmc_mba_ddr.c, there is a possible escalation of privileges due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local confused deputy vulnerability directly enables exploitation for privilege escalation to arbitrary code execution from an unprivileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-48646Same product: Google Android
CVE-2026-0021Same product: Google Android
CVE-2026-0013Same product: Google Android
CVE-2025-48579Same product: Google Android
CVE-2026-0008Same product: Google Android
CVE-2024-56192Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-40651Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through applying vendor patches directly eliminates the confused deputy vulnerability in gmc_ddr_handle_mba_mr_req as recommended in the Android Security Bulletin.

prevent

A reference monitor mediates all access requests to enforce authorizations, preventing the gmc_ddr_handle_mba_mr_req function from being tricked into unauthorized privilege escalation.

prevent

Enforcing least privilege on system components like the DDR handler limits the impact of any successful confused deputy exploitation.

References