CVE-2026-0116 Overview
CVE-2026-0116 is an out-of-bounds write vulnerability in the Android operating system. The flaw resides in the __mfc_handle_released_buf function of mfc_core_isr.c, a kernel-level component responsible for handling released buffers within the Multi-Format Codec (MFC) interrupt service routine. A missing bounds check allows attackers to write beyond allocated memory regions. Exploitation can lead to remote code execution without requiring user interaction or additional privileges. Google addressed the issue in the Android Security Bulletin March 2026.
Critical Impact
Remote attackers can achieve code execution on affected Android devices without user interaction, putting personal data, credentials, and device integrity at risk.
Affected Products
- Google Android (see Android Security Bulletin March 2026 for affected versions)
- Google Pixel devices (per Pixel Security Bulletin March 2026)
- Devices using the affected MFC kernel driver implementation
Discovery Timeline
- 2026-03-10 - CVE-2026-0116 published to the National Vulnerability Database
- 2026-03-11 - Last updated in the NVD database
Technical Details for CVE-2026-0116
Vulnerability Analysis
The vulnerability resides in __mfc_handle_released_buf, a function within mfc_core_isr.c that processes buffers released by the Multi-Format Codec driver during interrupt handling. The function fails to validate buffer indices or size parameters before performing write operations. This omission permits writes to memory addresses outside the intended buffer boundaries.
The MFC subsystem handles hardware-accelerated video encoding and decoding on Android devices. Because the affected code path executes in kernel context, successful exploitation grants attacker-controlled writes within the kernel address space. Attackers can leverage the primitive to corrupt kernel data structures and ultimately execute arbitrary code.
The weakness is categorized under CWE-787: Out-of-Bounds Write. Exploitation does not require authentication or user interaction, which makes the vulnerability suitable for remote attack scenarios such as malicious media streams or crafted codec input.
Root Cause
The root cause is a missing bounds check in __mfc_handle_released_buf. The function trusts buffer metadata without validating it against allocated region limits. When malformed input reaches the codec ISR, write operations exceed the destination buffer and overwrite adjacent kernel memory.
Attack Vector
The attack vector is network-based with low complexity. Attackers can deliver crafted video data through media-handling pathways that route content to the MFC driver. Successful processing of the malicious payload triggers the out-of-bounds write inside the kernel. No user action and no prior privileges are required for exploitation.
No public proof-of-concept exploit is currently available, and CISA has not added this vulnerability to the Known Exploited Vulnerabilities catalog. The EPSS probability is approximately 0.23%.
Detection Methods for CVE-2026-0116
Indicators of Compromise
- Unexpected kernel oops, panics, or crash logs referencing mfc_core_isr or __mfc_handle_released_buf
- Anomalous memory corruption errors logged by the Android kernel during media playback or codec operations
- Unauthorized privilege escalation events or unexpected root-level processes following media content consumption
Detection Strategies
- Monitor Android security patch level on managed devices and flag any device below the March 2026 patch level
- Inspect kernel crash dumps and logcat output for traces involving the MFC driver stack
- Correlate device telemetry with delivery of untrusted media files or streams from unknown origins
Monitoring Recommendations
- Track Android Security Bulletin compliance across the mobile fleet using mobile device management (MDM) tooling
- Alert on unmanaged or jailbroken devices accessing corporate resources, as these are unlikely to receive timely patches
- Monitor for repeated codec-related kernel faults that may indicate exploitation attempts
How to Mitigate CVE-2026-0116
Immediate Actions Required
- Apply the March 2026 Android security patch to all affected devices as soon as the OEM makes it available
- Update Pixel devices using the March 2026 Pixel Security Bulletin guidance
- Restrict installation of media-handling applications to vetted sources and enforce Google Play Protect
Patch Information
Google published fixes in the Android Security Bulletin March 2026 and the Android Pixel Security Bulletin March 2026. Devices with the 2026-03-01 security patch level or later address this issue. Original equipment manufacturers (OEMs) integrate the upstream fix into their own update channels, so timing varies by device vendor.
Workarounds
- Avoid opening untrusted video files or streams until the device is patched
- Disable hardware-accelerated codec features where the OEM permits configuration changes
- Enforce mobile device management policies that quarantine devices missing the March 2026 patch level
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-03-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

