CVE-2026-0118
Published: 10 March 2026
Summary
CVE-2026-0118 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Google Android. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the logic error in oobconfig by requiring timely application of vendor patches from the March 2026 Android Security Bulletin to prevent privilege escalation.
Implements a tamper-proof reference monitor that mediates all access control decisions, preventing local attackers from bypassing carrier restrictions via the oobconfig logic error.
Enforces least privilege on system components like oobconfig to limit the scope and impact of any successful privilege escalation from unprivileged local access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic flaw directly enables local privilege escalation (no prior access or interaction required).
NVD Description
In oobconfig, there is a possible bypass of carrier restrictions due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Deeper analysisAI
CVE-2026-0118 is a logic error (CWE-693) in the oobconfig component that enables bypassing carrier restrictions. This vulnerability affects Android devices and was published on 2026-03-10. It allows local escalation of privilege without requiring additional execution privileges, and no user interaction is needed for exploitation. The issue carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its low complexity and significant impact on confidentiality, integrity, and availability.
A local attacker can exploit this vulnerability with no prior privileges, leveraging the logic error to bypass carrier restrictions and achieve escalation of privilege on the affected Android device. The attack requires only local access, such as through a compromised app or physical access, and does not depend on user interaction, making it straightforward for adversaries already on the system.
The Android Security Bulletin for March 2026 at https://source.android.com/docs/security/bulletin/2026/2026-03-01 and the Pixel-specific bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01 detail patches and mitigation steps for this vulnerability. Security practitioners should ensure devices are updated to the patched versions outlined in these advisories to address the issue.
Details
- CWE(s)