CVE-2026-0118 Overview
CVE-2026-0118 is a logic error in the Android oobconfig component that allows a local attacker to bypass carrier restrictions. The flaw enables local escalation of privilege without additional execution privileges or user interaction. Google disclosed the issue in the Android Security Bulletin dated 2026-03-01, which also includes a corresponding Pixel-specific advisory.
The vulnerability is categorized under CWE-693: Protection Mechanism Failure. Exploitation requires local access to the device but no authentication, making malicious applications running on the device a realistic attack vector.
Critical Impact
A local attacker can bypass carrier restrictions enforced by oobconfig and obtain elevated privileges on affected Android devices, undermining device provisioning integrity.
Affected Products
- Google Android (per Android Security Bulletin 2026-03-01)
- Google Pixel devices (per Pixel Security Bulletin 2026-03-01)
- Android devices incorporating the vulnerable oobconfig component
Discovery Timeline
- 2026-03-10 - CVE-2026-0118 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-0118
Vulnerability Analysis
The vulnerability resides in oobconfig, an Android out-of-box configuration component responsible for applying device provisioning policies including carrier restrictions. A logic error in the component's policy enforcement path allows those restrictions to be bypassed. Because oobconfig operates with privileges higher than third-party applications, a bypass translates directly into local privilege escalation.
Carrier restrictions are protection mechanisms that constrain device behavior based on carrier provisioning, including SIM locking and operator-specific configuration. Bypassing these checks gives an attacker access to functionality and capabilities normally gated behind privileged provisioning workflows.
Root Cause
The root cause is a protection mechanism failure (CWE-693) in the policy evaluation logic of oobconfig. Rather than a memory safety defect, the component fails to correctly enforce a security decision that should reject unauthorized state transitions. The flawed conditional path permits the restricted operation to proceed when it should be blocked.
Attack Vector
Exploitation requires only local access to the device. An attacker with the ability to run code locally, such as a malicious application installed by the user, can trigger the vulnerable code path in oobconfig and bypass carrier restrictions. No user interaction is required, and the attacker does not need pre-existing elevated privileges.
No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. For component-level technical details, refer to the Android Security Bulletin 2026-03-01.
Detection Methods for CVE-2026-0118
Indicators of Compromise
- Unexpected modification of carrier configuration state or SIM lock status on managed devices
- Applications invoking oobconfig interfaces outside of normal device provisioning workflows
- Android device security patch level prior to 2026-03-01 reported by enrolled devices
Detection Strategies
- Audit Android device security patch levels through mobile device management (MDM) inventory and flag devices that have not received the March 2026 security patch.
- Monitor installed applications for those requesting access to telephony or provisioning APIs inconsistent with their stated purpose.
- Correlate carrier configuration change events with the originating process to identify illegitimate sources of modification.
Monitoring Recommendations
- Enforce MDM compliance policies that require devices to be on the latest Android security patch level before granting access to corporate resources.
- Ingest mobile telemetry into a centralized analytics platform to detect anomalous provisioning activity across the fleet.
- Review logs from carrier-related system services for unexpected privilege transitions or restriction state changes.
How to Mitigate CVE-2026-0118
Immediate Actions Required
- Apply the Android security patch level 2026-03-01 or later to all affected devices.
- Update Pixel devices using the Pixel-specific patch published in the Pixel Security Bulletin 2026-03-01.
- Restrict sideloading of untrusted applications through MDM policy on managed devices.
- Verify device patch status across the fleet and quarantine non-compliant endpoints.
Patch Information
Google released fixes in the March 2026 Android security patch level. Device manufacturers integrate these fixes into vendor-specific builds. Refer to the Android Security Bulletin 2026-03-01 for component-level fix references and the Pixel Security Bulletin 2026-03-01 for Pixel build identifiers.
Workarounds
- No vendor-supplied workaround is documented; applying the March 2026 security patch is the supported remediation.
- Limit installation of applications to trusted sources such as Google Play, and disable installation from unknown sources via MDM.
- Enroll devices in an MDM solution that enforces minimum patch level compliance prior to network access.
# Verify Android security patch level on a device via adb
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-03-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
