CVE-2026-20416
Published: 02 March 2026
Summary
CVE-2026-20416 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-20416 is an out-of-bounds write vulnerability in the PCIe component due to a missing bounds check, corresponding to CWE-787. It affects MediaTek platforms, as indicated by the associated patch IDs ALPS10315038 and ALPS10340155, and issue ID MSV-5155. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), rated as high severity.
A malicious actor who has already obtained System privilege can exploit this vulnerability locally to achieve escalation of privilege. No user interaction is required for exploitation, and the attack vector is rated as network accessible with low complexity, though it requires high privileges as a prerequisite.
MediaTek's March 2026 product security bulletin at https://corp.mediatek.com/product-security-bulletin/March-2026 provides details on the issue, with patches available under IDs ALPS10315038 and ALPS10340155 to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9150
Vulnerability details
In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for…
more
exploitation. Patch ID: ALPS10315038 / ALPS10340155; Issue ID: MSV-5155.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB write in PCIe component directly enables local privilege escalation from an already-privileged context (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires bounds checking and validation on untrusted or internally supplied data, eliminating the missing-bounds-check root cause of the OOB write.
Enforces memory-protection mechanisms that block or contain out-of-bounds writes in kernel/driver memory regions such as the PCIe component.
Mandates timely application of vendor patches (ALPS10315038/ALPS10340155) that insert the missing bounds checks and close the privilege-escalation path.