Cyber Resilience

CVE-2026-0111

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0111 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0111 is a high-severity vulnerability involving an out-of-bounds write due to an incorrect bounds check in the ns_GetUserData function within ns_SmscbUtilities.c. This issue affects Android devices, as indicated by its inclusion in Android security bulletins. Assigned CWE-787, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical potential impact.

Remote attackers can exploit this vulnerability over the network without requiring user interaction or additional execution privileges. Successful exploitation enables escalation of privilege, potentially granting unauthorized access to sensitive data and system resources with high confidentiality, integrity, and availability impacts.

Mitigation details are provided in the Android Security Bulletin for March 2026 at https://source.android.com/docs/security/bulletin/2026/2026-03-01, along with Pixel-specific guidance at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01. Security practitioners should apply the corresponding patches to affected Android versions promptly.

EU & UK References

Vulnerability details

In ns_GetUserData of ns_SmscbUtilities.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Remote unauthenticated exploitation leading to privilege escalation via out-of-bounds write directly enables T1068 (Exploitation for Privilege Escalation) and T1210 (Exploitation of Remote Services).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0117Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2026-0037Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2024-53833Same product: Google Android
CVE-2026-0123Same product: Google Android
CVE-2024-43096Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2024-43097Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of software flaws like the out-of-bounds write in ns_GetUserData, enabling patching as specified in the Android Security Bulletin.

prevent

Implements runtime memory protections such as address space randomization and non-executable memory to mitigate exploitation of out-of-bounds writes leading to privilege escalation.

prevent

Mandates validation of information inputs to the ns_GetUserData function, addressing the root cause of the incorrect bounds check vulnerability.

References