Cyber Posture

CVE-2026-0117

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0117 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation, directly addressing this out-of-bounds write by applying vendor patches from Android security bulletins.

SI-16 Memory Protection good match
prevent

SI-16 enforces memory protections like ASLR and non-executable memory that prevent successful exploitation of the out-of-bounds write for privilege escalation.

SI-10 Information Input Validation partial match
prevent

SI-10 requires validation of inputs to the mfc_dec_dqbuf function, mitigating the incorrect bounds check that enables the out-of-bounds write.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Out-of-bounds write in local Android kernel component directly enables local privilege escalation without auth or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In mfc_dec_dqbuf of mfc_dec_v4l2.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2026-0117 is a vulnerability involving an out-of-bounds write due to an incorrect bounds check in the mfc_dec_dqbuf function of mfc_dec_v4l2.c. This issue affects the Android Open Source Project, specifically components related to the multimedia function codec (MFC) decoder using the Video4Linux2 (V4L2) framework. Published on 2026-03-10, it is associated with CWE-787 and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability without additional execution privileges or user interaction. By triggering the faulty bounds check during buffer dequeuing in the MFC decoder, the attacker can achieve local escalation of privilege, potentially compromising confidentiality, integrity, and availability with high impact.

Android security advisories provide details on patches and mitigation. Security practitioners should refer to the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-03-01 and the Pixel-specific bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01 for implementation guidance and affected versions.

Details

CWE(s)
CWE-787

Affected Products

google
android
all versions

CVEs Like This One

CVE-2026-0010Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2026-0123Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2026-0037Same product: Google Android
CVE-2025-32313Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-53833Same product: Google Android

References