Cyber Posture

CVE-2026-0112

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0112 is a high-severity Race Condition (CWE-362) vulnerability in Google Android. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-8 Time Stamps
addresses: CWE-362

Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.

PL-6 Security-related Activity Planning
addresses: CWE-362

Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.

SI-16 Memory Protection
addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct local privilege escalation via kernel use-after-free/race condition in Android driver (vpu_ioctl).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In vpu_open_inst of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2026-0112 is a use-after-free vulnerability stemming from a race condition in the vpu_open_inst function of vpu_ioctl.c. This flaw affects the Android operating system, as documented in the Android Security Bulletin and Pixel Security Bulletin for March 2026. It is associated with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) and CWE-416 (Use After Free), and carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker requires no additional execution privileges to exploit this vulnerability, which does not necessitate user interaction. Due to the race condition, exploitation demands high attack complexity, but success enables local escalation of privilege with high impacts on confidentiality, integrity, and availability.

The Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-03-01) and Pixel Security Bulletin (https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01) provide details on patches addressing this issue, which security practitioners should apply to vulnerable Android and Pixel devices.

Details

CWE(s)
CWE-362CWE-416

Affected Products

google
android
all versions

CVEs Like This One

CVE-2025-48577Same product: Google Android
CVE-2025-48543Same product: Google Android
CVE-2025-22409Same product: Google Android
CVE-2025-48568Same product: Google Android
CVE-2025-22404Same product: Google Android
CVE-2025-22410Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2025-36920Same product: Google Android
CVE-2026-0011Same product: Google Android
CVE-2026-0020Same product: Google Android

References