Cyber Resilience

CVE-2026-0112

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0112 is a high-severity Race Condition (CWE-362) vulnerability in Google Android. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0112 is a use-after-free vulnerability stemming from a race condition in the vpu_open_inst function of vpu_ioctl.c. This flaw affects the Android operating system, as documented in the Android Security Bulletin and Pixel Security Bulletin for March 2026. It is associated with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) and CWE-416 (Use After Free), and carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker requires no additional execution privileges to exploit this vulnerability, which does not necessitate user interaction. Due to the race condition, exploitation demands high attack complexity, but success enables local escalation of privilege with high impacts on confidentiality, integrity, and availability.

The Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-03-01) and Pixel Security Bulletin (https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01) provide details on patches addressing this issue, which security practitioners should apply to vulnerable Android and Pixel devices.

EU & UK References

Vulnerability details

In vpu_open_inst of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via kernel use-after-free/race condition in Android driver (vpu_ioctl).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-40651Same product: Google Android
CVE-2025-48577Same product: Google Android
CVE-2024-34732Same product: Google Android
CVE-2024-40649Same product: Google Android
CVE-2025-22410Same product: Google Android
CVE-2025-48543Same product: Google Android
CVE-2024-40669Same product: Google Android
CVE-2024-40670Same product: Google Android
CVE-2025-22409Same product: Google Android
CVE-2025-22404Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Memory Protection directly blocks exploitation of the use-after-free in vpu_open_inst by enforcing bounds and preventing dangling references after the race condition.

prevent

Flaw Remediation requires applying the vendor patches listed in the Android/Pixel March 2026 bulletins that eliminate the race condition in vpu_ioctl.c.

prevent

Process Isolation limits the blast radius of the local privilege escalation that succeeds when the use-after-free is triggered.

References