CVE-2026-0110
Published: 10 March 2026
Summary
CVE-2026-0110 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0110 is a memory corruption vulnerability in the MM_DATA_IND function of cn_NrSmMsgHdlrFromMM.cpp, enabling escalation of privilege (EoP). Classified under CWE-120, it affects Android components, as documented in the Android Security Bulletin.
The vulnerability carries a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. Remote attackers require no privileges or user interaction to exploit it, achieving remote EoP without additional execution privileges needed.
The Android Security Bulletin for March 2026 (https://source.android.com/docs/security/bulletin/2026/2026-03-01) and the Pixel update bulletin (https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01) detail patches to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10836
Vulnerability details
In MM_DATA_IND of cn_NrSmMsgHdlrFromMM.cpp, there is a possible EoP due to memory corruption. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote memory corruption enabling privilege escalation (EoP) with no privileges required, directly mapping to Exploitation for Privilege Escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 ensures timely remediation of the specific memory corruption flaw in MM_DATA_IND via patching as detailed in the Android Security Bulletin.
SI-16 implements memory protection mechanisms like ASLR and DEP to directly prevent exploitation of the memory corruption leading to remote EoP.
SI-10 enforces input validation on MM_DATA_IND messages to mitigate malformed data triggering the CWE-120 buffer copy without bounds check vulnerability.