Cyber Resilience

CVE-2026-0123

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0123 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-0123 is a vulnerability involving an out-of-bounds write due to a missing bounds check in the EfwApTransport::ProcessRxRing function of efw_ap_transport.cc. This issue affects Android systems and is classified under CWE-787.

A local attacker can exploit this vulnerability with low attack complexity, no privileges, and no user interaction required. Successful exploitation enables local escalation of privilege, resulting in high impacts to confidentiality, integrity, and availability, as reflected in its CVSS 3.1 score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Android security bulletin dated 2026-03-01 details patches and mitigation measures at https://source.android.com/docs/security/bulletin/2026/2026-03-01.

EU & UK References

Vulnerability details

In EfwApTransport::ProcessRxRing of efw_ap_transport.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Out-of-bounds write enables local memory corruption exploit for privilege escalation without requiring prior privileges or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-49745Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2026-0037Same product: Google Android
CVE-2026-0117Same product: Google Android
CVE-2024-43077Same product: Google Android
CVE-2026-0010Same product: Google Android
CVE-2024-53833Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs including bounds checks, directly preventing the out-of-bounds write due to the missing bounds check in ProcessRxRing.

prevent

SI-16 implements memory protection mechanisms such as stack canaries and address space randomization that mitigate exploitation of the out-of-bounds write for privilege escalation.

prevent

SI-2 ensures timely identification, reporting, and remediation of flaws like this buffer overflow vulnerability via patching as detailed in the Android security bulletin.

References