Skip to main content
CVE Vulnerability Database

CVE-2026-0116: Google Android RCE Vulnerability

CVE-2026-0116 is a remote code execution vulnerability in Google Android caused by an out of bounds write in mfc_core_isr.c. This flaw requires no user interaction. This article covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-0116 Overview

CVE-2026-0116 is an out-of-bounds write vulnerability in the Android operating system. The flaw resides in the __mfc_handle_released_buf function of mfc_core_isr.c, a kernel-level component responsible for handling released buffers within the Multi-Format Codec (MFC) interrupt service routine. A missing bounds check allows attackers to write beyond allocated memory regions. Exploitation can lead to remote code execution without requiring user interaction or additional privileges. Google addressed the issue in the Android Security Bulletin March 2026.

Critical Impact

Remote attackers can achieve code execution on affected Android devices without user interaction, putting personal data, credentials, and device integrity at risk.

Affected Products

  • Google Android (see Android Security Bulletin March 2026 for affected versions)
  • Google Pixel devices (per Pixel Security Bulletin March 2026)
  • Devices using the affected MFC kernel driver implementation

Discovery Timeline

  • 2026-03-10 - CVE-2026-0116 published to the National Vulnerability Database
  • 2026-03-11 - Last updated in the NVD database

Technical Details for CVE-2026-0116

Vulnerability Analysis

The vulnerability resides in __mfc_handle_released_buf, a function within mfc_core_isr.c that processes buffers released by the Multi-Format Codec driver during interrupt handling. The function fails to validate buffer indices or size parameters before performing write operations. This omission permits writes to memory addresses outside the intended buffer boundaries.

The MFC subsystem handles hardware-accelerated video encoding and decoding on Android devices. Because the affected code path executes in kernel context, successful exploitation grants attacker-controlled writes within the kernel address space. Attackers can leverage the primitive to corrupt kernel data structures and ultimately execute arbitrary code.

The weakness is categorized under CWE-787: Out-of-Bounds Write. Exploitation does not require authentication or user interaction, which makes the vulnerability suitable for remote attack scenarios such as malicious media streams or crafted codec input.

Root Cause

The root cause is a missing bounds check in __mfc_handle_released_buf. The function trusts buffer metadata without validating it against allocated region limits. When malformed input reaches the codec ISR, write operations exceed the destination buffer and overwrite adjacent kernel memory.

Attack Vector

The attack vector is network-based with low complexity. Attackers can deliver crafted video data through media-handling pathways that route content to the MFC driver. Successful processing of the malicious payload triggers the out-of-bounds write inside the kernel. No user action and no prior privileges are required for exploitation.

No public proof-of-concept exploit is currently available, and CISA has not added this vulnerability to the Known Exploited Vulnerabilities catalog. The EPSS probability is approximately 0.23%.

Detection Methods for CVE-2026-0116

Indicators of Compromise

  • Unexpected kernel oops, panics, or crash logs referencing mfc_core_isr or __mfc_handle_released_buf
  • Anomalous memory corruption errors logged by the Android kernel during media playback or codec operations
  • Unauthorized privilege escalation events or unexpected root-level processes following media content consumption

Detection Strategies

  • Monitor Android security patch level on managed devices and flag any device below the March 2026 patch level
  • Inspect kernel crash dumps and logcat output for traces involving the MFC driver stack
  • Correlate device telemetry with delivery of untrusted media files or streams from unknown origins

Monitoring Recommendations

  • Track Android Security Bulletin compliance across the mobile fleet using mobile device management (MDM) tooling
  • Alert on unmanaged or jailbroken devices accessing corporate resources, as these are unlikely to receive timely patches
  • Monitor for repeated codec-related kernel faults that may indicate exploitation attempts

How to Mitigate CVE-2026-0116

Immediate Actions Required

  • Apply the March 2026 Android security patch to all affected devices as soon as the OEM makes it available
  • Update Pixel devices using the March 2026 Pixel Security Bulletin guidance
  • Restrict installation of media-handling applications to vetted sources and enforce Google Play Protect

Patch Information

Google published fixes in the Android Security Bulletin March 2026 and the Android Pixel Security Bulletin March 2026. Devices with the 2026-03-01 security patch level or later address this issue. Original equipment manufacturers (OEMs) integrate the upstream fix into their own update channels, so timing varies by device vendor.

Workarounds

  • Avoid opening untrusted video files or streams until the device is patched
  • Disable hardware-accelerated codec features where the OEM permits configuration changes
  • Enforce mobile device management policies that quarantine devices missing the March 2026 patch level
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-03-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.