CVE-2026-0120: Google Android Modem RCE Vulnerability

CVE-2026-0120 Overview

CVE-2026-0120 is a critical out-of-bounds write vulnerability affecting the modem component in Google Android. The flaw stems from an incorrect bounds check, which allows an attacker to write data beyond the allocated buffer boundaries. This vulnerability can be exploited remotely over the network to achieve code execution without requiring any user interaction or special privileges on the target device.

Critical Impact
Remote code execution is possible with no user interaction required. Attackers can fully compromise affected Android devices by exploiting the modem component over the network.

Affected Products

Google Android (all versions without the March 2026 security patch)
Google Pixel devices (prior to March 2026 security update)
Android devices with affected modem firmware

Discovery Timeline

2026-03-10 - CVE-2026-0120 published to NVD
2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-0120

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-Bounds Write), a memory corruption issue that occurs when a program writes data past the end or before the beginning of an intended buffer. In the context of the Android modem component, the flaw exists due to an incorrect bounds check when processing network data.

The modem is a critical low-level component that handles cellular network communications. Vulnerabilities in this component are particularly severe because the modem operates at a fundamental level within the device's communication stack, often with elevated privileges. Successful exploitation grants attackers the ability to execute arbitrary code remotely without any user interaction.

Root Cause

The vulnerability originates from an improper bounds validation routine within the modem firmware. When the modem processes certain network packets or messages, it fails to correctly verify that the data length does not exceed the allocated buffer size. This oversight allows an attacker to craft malicious network traffic that triggers a write operation beyond the buffer's boundaries.

Out-of-bounds write vulnerabilities like this one can corrupt adjacent memory regions, overwrite critical data structures, or hijack program execution flow. In modem components, this type of flaw is especially dangerous because it can be triggered remotely via cellular network communications.

Attack Vector

The attack is network-based and can be initiated remotely without requiring physical access to the target device. The exploitation does not require any authentication or privileges on the target system, and no user interaction is necessary for the attack to succeed.

An attacker could potentially exploit this vulnerability by:

Sending specially crafted network packets to the target device's modem
Leveraging the incorrect bounds check to write arbitrary data beyond buffer limits
Overwriting critical memory structures to gain control of program execution
Achieving remote code execution within the modem context

The vulnerability is accessible from the network attack surface, making it exploitable from remote locations. The technical details of exploitation mechanics are documented in the Android Security Bulletin March 2026.

Detection Methods for CVE-2026-0120

Indicators of Compromise

Unusual modem crash events or restarts without apparent cause
Anomalous network traffic patterns targeting cellular communications
Unexpected system behavior following cellular network activity
Memory corruption indicators in modem-related logs

Detection Strategies

Monitor system logs for modem component crashes or abnormal restarts
Implement network traffic analysis to detect malformed packets targeting modem interfaces
Deploy endpoint detection and response (EDR) solutions capable of monitoring low-level device behavior
Utilize SentinelOne Singularity Mobile to detect exploitation attempts on Android devices

Monitoring Recommendations

Enable comprehensive logging for modem and cellular components
Configure alerting for unusual modem behavior patterns
Regularly audit device security patch levels to identify vulnerable systems
Monitor for indicators of post-exploitation activity such as unauthorized network connections

How to Mitigate CVE-2026-0120

Immediate Actions Required

Apply the March 2026 Android security patch immediately on all affected devices
Prioritize patching based on device exposure and criticality
For unpatched devices, consider network-level mitigations where feasible
Inventory all Android devices to identify vulnerable systems requiring updates

Patch Information

Google has addressed this vulnerability in the March 2026 Android Security Bulletin. Organizations and users should apply the security update as soon as possible. The patches are available through the following resources:

For Pixel devices, the update is available through the standard system update mechanism. For other Android devices, users should check with their device manufacturer for availability of the security update.

Workarounds

No official workarounds are available for this vulnerability
Patching remains the only definitive remediation
Organizations may consider restricting affected devices from sensitive networks until patched
Enable airplane mode on critical devices as a temporary measure if patching is not immediately possible