Skip to main content
CVE Vulnerability Database

CVE-2026-0111: Google Android Privilege Escalation Flaw

CVE-2026-0111 is a privilege escalation vulnerability in Google Android caused by an out of bounds write in ns_SmscbUtilities.c. Attackers can remotely escalate privileges without user interaction. Learn about technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-0111 Overview

CVE-2026-0111 is an out-of-bounds write vulnerability in the ns_GetUserData function of ns_SmscbUtilities.c in Google Android. The flaw stems from an incorrect bounds check that allows memory corruption beyond an allocated buffer. Remote attackers can trigger the condition without authentication and without any user interaction. Successful exploitation can lead to remote escalation of privilege on affected devices. Google addressed the issue in the Android Security Bulletin for March 2026, alongside a corresponding Pixel bulletin. The vulnerability is classified under [CWE-787: Out-of-bounds Write].

Critical Impact

Remote, unauthenticated attackers can corrupt memory in a baseband-adjacent SMS Cell Broadcast handler, enabling privilege escalation without user interaction.

Affected Products

  • Google Android (per March 2026 Android Security Bulletin)
  • Google Pixel devices (per March 2026 Pixel Security Bulletin)
  • Devices using the affected ns_SmscbUtilities component

Discovery Timeline

  • 2026-03-10 - CVE-2026-0111 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-0111

Vulnerability Analysis

The vulnerability resides in ns_GetUserData, a function in ns_SmscbUtilities.c that processes user data fields associated with Short Message Service Cell Broadcast (SMSCB) messages. The function performs a bounds check that fails to correctly validate the size of attacker-influenced input before writing to a destination buffer. An attacker who delivers a crafted Cell Broadcast message can trigger a write past the end of the buffer, corrupting adjacent memory structures. Because the routine executes without requiring user interaction or elevated privileges, exploitation requires only network reachability to the affected SMSCB processing path. The resulting memory corruption can be leveraged to achieve remote escalation of privilege in the component handling the message.

Root Cause

The root cause is an incorrect bounds check [CWE-787] in ns_GetUserData. The function relies on length values derived from untrusted message fields without properly constraining them against the destination buffer size. When the computed write length exceeds the buffer capacity, the function still proceeds with the copy operation. This permits controlled out-of-bounds writes into adjacent memory regions.

Attack Vector

The attack vector is network-based. An adversary capable of injecting or delivering a crafted SMSCB message to a vulnerable Android device can reach the vulnerable parser. No user interaction, prompts, or permissions are required on the target device. The vulnerability description does not include public proof-of-concept code, and no exploit is currently listed in Exploit-DB or CISA KEV. Technical specifics are documented in the Android Security Bulletin March 2026 and the Android Pixel Security Bulletin March 2026.

Detection Methods for CVE-2026-0111

Indicators of Compromise

  • Unexpected crashes, reboots, or watchdog resets in processes handling cell broadcast or SMS messages.
  • Anomalous Cell Broadcast traffic patterns from untrusted or rogue base stations.
  • Kernel or system logs referencing faults in ns_SmscbUtilities or related SMS/SMSCB handling components.

Detection Strategies

  • Monitor mobile device telemetry for repeated crashes in telephony, RIL, or modem-adjacent services that may indicate exploitation attempts.
  • Correlate device-side crash reports with proximity to unverified or anomalous cellular base stations.
  • Track Android security patch level (ro.build.version.security_patch) across the fleet to identify devices missing the March 2026 patch.

Monitoring Recommendations

  • Enforce mobile device management (MDM) policies that report current Android security patch levels and flag devices below 2026-03-01.
  • Review enterprise mobility logs for devices exhibiting unexplained telephony stack resets after exposure to public or untrusted cellular networks.
  • Subscribe to the Android Security Bulletin feed to track related component fixes and follow-on advisories.

How to Mitigate CVE-2026-0111

Immediate Actions Required

  • Apply the Android security patch level dated 2026-03-01 or later to all managed devices.
  • Prioritize patching for Pixel devices and OEM models that have shipped the March 2026 update.
  • Identify devices that cannot receive the update and plan replacement or compensating controls.

Patch Information

Google published the fix in the Android Security Bulletin March 2026. Pixel-specific fixes are documented in the Android Pixel Security Bulletin March 2026. Devices reporting a security patch level of 2026-03-01 or later include the corrected bounds check in ns_GetUserData.

Workarounds

  • Disable reception of non-essential Cell Broadcast channels where supported by the device or carrier configuration.
  • Restrict use of vulnerable devices on untrusted cellular networks until patches are applied.
  • Use carrier-level filtering for anomalous SMSCB traffic where feasible.
bash
# Check the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-03-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.