CVE-2026-0110 Overview
CVE-2026-0110 is a memory corruption vulnerability in the Android cellular baseband stack. The flaw resides in the MM_DATA_IND handler within cn_NrSmMsgHdlrFromMM.cpp, which processes 5G Session Management messages from the Mobility Management layer. Attackers can trigger memory corruption remotely without user interaction and without holding any prior privileges. Successful exploitation leads to remote escalation of privilege on affected Android devices. Google disclosed the issue in the March 2026 Android Security Bulletin. The vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input).
Critical Impact
Remote attackers can corrupt baseband memory and escalate privileges on Android devices without user interaction.
Affected Products
- Google Android (per March 2026 Android Security Bulletin)
- Google Pixel devices (per March 2026 Pixel Security Bulletin)
- Android builds containing the unpatched cn_NrSmMsgHdlrFromMM component
Discovery Timeline
- 2026-03-10 - CVE-2026-0110 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-0110
Vulnerability Analysis
The vulnerability exists in the MM_DATA_IND message handler implemented in cn_NrSmMsgHdlrFromMM.cpp. This handler processes data indications passed from the Mobility Management (MM) layer to the 5G NR Session Management (SM) layer of the cellular protocol stack. The handler fails to validate the size or structure of attacker-controlled fields before copying them into a fixed-size buffer, producing a classic [CWE-120] buffer copy without bounds checking.
Because the affected code path runs inside privileged baseband or modem-facing processes, memory corruption translates directly into remote escalation of privilege. The flaw requires no user interaction, no authentication, and no prior code execution on the device.
Root Cause
The root cause is missing length validation on fields contained in MM_DATA_IND messages before they are written into in-process buffers. The handler treats remote network input as trusted, allowing oversized or malformed Session Management payloads to overwrite adjacent memory structures. This corruption can be steered to overwrite function pointers, control structures, or return addresses inside the baseband process.
Attack Vector
The attack vector is network-based and adjacent to the radio access network. An attacker operating a rogue base station, a compromised network element, or an IMSI catcher can deliver a crafted Session Management message that traverses the MM layer and reaches the vulnerable handler. The radio path eliminates the need for user interaction, allowing exploitation while the target device is simply attached to the malicious cell. No code execution capability on the device is required to initiate the attack.
No public proof-of-concept or exploit code is available at the time of publication. See the Android Security Bulletin March 2026 for vendor technical details.
Detection Methods for CVE-2026-0110
Indicators of Compromise
- Unexpected modem or baseband process crashes, reboots, or tombstone files referencing cn_NrSmMsgHdlrFromMM or NR SM message handling.
- Device attachment to unexpected 5G NR cells with anomalous PLMN, TAC, or cell identity values inconsistent with the carrier footprint.
- Repeated NAS Session Management protocol errors or malformed MM_DATA_IND events in modem diagnostic logs.
Detection Strategies
- Monitor mobile device management (MDM) telemetry for Android security patch level and flag devices below the March 2026 patch level.
- Correlate baseband crash reports and kernel panics with location and serving-cell data to identify potential radio-based exploitation attempts.
- Inspect enterprise mobile threat defense (MTD) alerts for rogue base station detections or downgrade events near affected users.
Monitoring Recommendations
- Enforce continuous reporting of Android ro.build.version.security_patch through endpoint management to verify patch adoption.
- Aggregate mobile crash and diagnostic logs into a SIEM or data lake to baseline modem stability and detect anomalous spikes.
- Track CVE-2026-0110 status across the device fleet and alert on devices that fail to receive the March 2026 update within a defined SLA.
How to Mitigate CVE-2026-0110
Immediate Actions Required
- Apply the March 2026 Android security patch level (2026-03-01 or later) to all managed Android and Pixel devices.
- Prioritize patching for devices that operate on 5G NR networks or travel through high-risk regions where rogue base stations are plausible.
- For unpatched devices, restrict 5G NR usage via carrier or device settings where operationally feasible until updates are installed.
Patch Information
Google released fixes in the Android Security Bulletin March 2026 and the Android Pixel Security Bulletin March 2026. Devices must report a security patch level of 2026-03-01 or later to be considered remediated. OEM rollout times vary, so confirm vendor-specific availability for non-Pixel hardware.
Workarounds
- Enforce MDM policy requiring the March 2026 patch level before granting access to corporate resources.
- Disable 5G NR or force LTE-only mode on high-risk devices until the patch is installed, accepting the reduced functionality trade-off.
- Avoid attaching unmanaged or unpatched Android devices to untrusted cellular environments and educate users on signs of forced downgrade or unusual connectivity.
# Verify Android security patch level on a managed device via ADB
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices:
# 2026-03-01 (or later)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

