Cyber Posture

CVE-2026-0120

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 46.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0120 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs, directly addressing the incorrect bounds check that enables the out-of-bounds write in the modem.

SI-16 Memory Protection good match
prevent

SI-16 implements memory protections such as non-executable memory and randomization, mitigating exploitation of the out-of-bounds write for remote code execution.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely identification, reporting, and patching of flaws, directly remediating the specific bounds check vulnerability in the Android modem as detailed in security bulletins.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows remote code execution via network exploitation of a public-facing modem component without privileges or user interaction, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

In modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2026-0120 is a vulnerability in the modem component of Android systems, stemming from an incorrect bounds check that enables an out-of-bounds write (CWE-787). Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact without privileges or user interaction.

Remote attackers can exploit this vulnerability over the network with low attack complexity and no prerequisites, achieving remote code execution without additional execution privileges. No user interaction is required, allowing unauthenticated adversaries to potentially compromise affected devices fully.

The Android Security Bulletin for 2026-03-01 at https://source.android.com/docs/security/bulletin/2026/2026-03-01 and the Pixel-specific bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01 detail patches and mitigation guidance for addressing this issue in supported Android versions and Pixel devices.

Details

CWE(s)
CWE-787

Affected Products

google
android
all versions

CVEs Like This One

CVE-2026-0116Same product: Google Android
CVE-2025-36937Same product: Google Android
CVE-2026-0114Same product: Google Android
CVE-2026-0113Same product: Google Android
CVE-2024-53842Same product: Google Android
CVE-2024-43096Same product: Google Android
CVE-2024-49748Same product: Google Android
CVE-2024-43768Same product: Google Android
CVE-2026-0123Same product: Google Android
CVE-2026-0010Same product: Google Android

References