Cyber Resilience

CVE-2026-0110

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0110 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0110 is a memory corruption vulnerability in the MM_DATA_IND function of cn_NrSmMsgHdlrFromMM.cpp, enabling escalation of privilege (EoP). Classified under CWE-120, it affects Android components, as documented in the Android Security Bulletin.

The vulnerability carries a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. Remote attackers require no privileges or user interaction to exploit it, achieving remote EoP without additional execution privileges needed.

The Android Security Bulletin for March 2026 (https://source.android.com/docs/security/bulletin/2026/2026-03-01) and the Pixel update bulletin (https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01) detail patches to mitigate the issue.

EU & UK References

Vulnerability details

In MM_DATA_IND of cn_NrSmMsgHdlrFromMM.cpp, there is a possible EoP due to memory corruption. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a remote memory corruption enabling privilege escalation (EoP) with no privileges required, directly mapping to Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28580Same product: Google Android
CVE-2025-48611Same product: Google Android
CVE-2018-9387Same product: Google Android
CVE-2024-47032Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2026-0028Same product: Google Android
CVE-2026-0117Same product: Google Android
CVE-2026-0032Same product: Google Android
CVE-2018-9382Same product: Google Android
CVE-2025-48578Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 ensures timely remediation of the specific memory corruption flaw in MM_DATA_IND via patching as detailed in the Android Security Bulletin.

prevent

SI-16 implements memory protection mechanisms like ASLR and DEP to directly prevent exploitation of the memory corruption leading to remote EoP.

prevent

SI-10 enforces input validation on MM_DATA_IND messages to mitigate malformed data triggering the CWE-120 buffer copy without bounds check vulnerability.

References