CVE-2026-0119 Overview
CVE-2026-0119 is an out-of-bounds write vulnerability in the usim_SendMCCMNCIndMsg function within the usim_Registration.c component of Google Android. This memory corruption flaw enables physical privilege escalation without requiring any additional execution privileges or user interaction. The vulnerability affects the USIM (Universal Subscriber Identity Module) registration process, which handles mobile country code (MCC) and mobile network code (MNC) indication messages.
Critical Impact
Physical access to the device could allow an attacker to escalate privileges and achieve high impact on confidentiality, integrity, and availability of the system.
Affected Products
- Google Android (all versions prior to March 2026 security patch)
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-0119 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-0119
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-bounds Write), a memory corruption issue within the Android telephony subsystem. The flaw exists in the usim_SendMCCMNCIndMsg function responsible for processing USIM registration messages containing mobile country and network codes.
The vulnerability requires physical access to the device to exploit, making it relevant in scenarios involving stolen devices, forensic analysis attempts, or targeted attacks where physical access is possible. Once exploited, an attacker can achieve full compromise of confidentiality, integrity, and availability on the affected system without needing any existing privileges on the device.
Root Cause
The root cause lies in improper bounds checking within the usim_SendMCCMNCIndMsg function in usim_Registration.c. When processing MCC/MNC indication messages, the function fails to properly validate buffer boundaries before writing data, leading to memory corruption. This out-of-bounds write condition can be leveraged to overwrite adjacent memory regions, potentially corrupting function pointers or other critical data structures.
Attack Vector
The attack requires physical access to the target Android device. An attacker with physical access could manipulate the USIM registration process by injecting malformed MCC/MNC indication messages through the device's baseband processor interface. The exploitation does not require user interaction or any existing privileges on the system.
The vulnerability mechanism involves improper memory handling in the USIM registration component. When the usim_SendMCCMNCIndMsg function processes specially crafted input, it writes data beyond the allocated buffer boundaries. For detailed technical information, refer to the Android Security Bulletin March 2026.
Detection Methods for CVE-2026-0119
Indicators of Compromise
- Unexpected crashes or reboots in the telephony subsystem or radio interface layer (RIL)
- Anomalous behavior during SIM card initialization or network registration processes
- Unusual memory access patterns in processes related to usim_Registration or baseband communication
Detection Strategies
- Monitor Android system logs for crashes related to telephony services, particularly those involving USIM registration functions
- Implement endpoint detection solutions capable of identifying memory corruption exploit attempts targeting the baseband processor interface
- Deploy SentinelOne agents to detect suspicious privilege escalation attempts following unusual telephony subsystem activity
Monitoring Recommendations
- Enable verbose logging for telephony services to capture detailed information about USIM registration events
- Implement physical access controls and device integrity monitoring for high-value Android devices
- Monitor for unexpected modifications to system components or privilege escalation indicators following device access by third parties
How to Mitigate CVE-2026-0119
Immediate Actions Required
- Apply the March 2026 Android security patch immediately on all affected devices
- Implement physical access controls to limit exposure to devices containing sensitive data
- Review device inventory to identify all Android devices requiring patching
- For unpatched devices, consider restricting physical access or implementing additional device encryption
Patch Information
Google has addressed this vulnerability in the March 2026 Android Security Bulletin. Organizations should update affected devices to include the security patch level 2026-03-01 or later. The fix implements proper bounds checking in the usim_SendMCCMNCIndMsg function to prevent the out-of-bounds write condition. For detailed patch information, see the Android Security Bulletin March 2026.
Workarounds
- Enforce strict physical access controls to limit who can handle Android devices in your organization
- Enable full-disk encryption on all Android devices to protect data even if the device is physically compromised
- Implement mobile device management (MDM) solutions to enforce security policies and ensure timely patch deployment
- Consider enabling lockdown mode on devices containing highly sensitive information when physical security cannot be guaranteed
# Verify Android security patch level
adb shell getprop ro.build.version.security_patch
# Expected output should be 2026-03-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
