Skip to main content
CVE Vulnerability Database

CVE-2026-0120: Google Android Modem RCE Vulnerability

CVE-2026-0120 is a remote code execution vulnerability in Google Android's modem component caused by an out-of-bounds write. Attackers can exploit this flaw without user interaction. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-0120 Overview

CVE-2026-0120 is an out-of-bounds write vulnerability in the Android modem component. The flaw stems from an incorrect bounds check that allows attackers to write data beyond the intended memory buffer. Successful exploitation leads to remote code execution without requiring additional execution privileges or user interaction. Google disclosed the vulnerability in the March 2026 Android Security Bulletin. The weakness maps to [CWE-787] and affects baseband modem processing on Android devices.

Critical Impact

Attackers can achieve remote code execution on affected Android devices through the modem component without user interaction, enabling silent compromise over radio interfaces.

Affected Products

  • Google Android (per the March 2026 Android Security Bulletin)
  • Google Pixel devices (per the March 2026 Pixel Security Bulletin)
  • Android devices using the affected modem firmware

Discovery Timeline

  • 2026-03-10 - CVE-2026-0120 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-0120

Vulnerability Analysis

The vulnerability resides in the Android modem component, which handles cellular baseband processing. An incorrect bounds check permits an out-of-bounds write [CWE-787] during message parsing. Attackers can corrupt adjacent memory structures by supplying crafted input that exceeds the validated boundary. The corruption path leads to remote code execution within the modem's execution context.

Exploitation requires no privileges and no user interaction. The attack vector is network-based, meaning malicious radio frames or protocol messages can trigger the flaw. Modem-level code execution provides a privileged foothold beneath the Android application layer. From this position, attackers can intercept calls, exfiltrate identifiers, and pivot toward higher-value targets on the device.

Root Cause

The root cause is an incorrect bounds check that fails to validate buffer size before a write operation. The implementation trusts attacker-controlled length values or computes the boundary using flawed arithmetic. As a result, the write operation extends beyond the allocated buffer and overwrites adjacent data structures.

Attack Vector

A remote attacker delivers crafted protocol traffic to the targeted device. The modem parses the malformed input and triggers the boundary violation during processing. Because no user interaction is needed, the attack can be staged through a rogue base station or a man-in-the-middle position on the radio path. Successful exploitation yields code execution at the modem privilege level.

No public proof-of-concept exploit is currently available. Technical specifics are restricted to the vendor advisories listed in the Android Security Bulletin March 2026 and the Android Pixel Security Bulletin March 2026.

Detection Methods for CVE-2026-0120

Indicators of Compromise

  • Unexpected modem crashes, resets, or radio interface failures on affected Android devices.
  • Unexplained cellular connectivity drops correlated with proximity to unknown base stations.
  • Anomalous outbound traffic patterns originating from devices that have not been updated to the March 2026 patch level.

Detection Strategies

  • Inventory Android devices and identify those running below the 2026-03-01 security patch level using mobile device management (MDM) telemetry.
  • Monitor for repeated modem subsystem restarts in device logs, which can indicate exploitation attempts.
  • Correlate cellular anomalies with physical location data to identify possible rogue base station activity.

Monitoring Recommendations

  • Enforce MDM compliance policies that flag devices missing the March 2026 Android security patch.
  • Collect and centralize Android device logs in a SIEM for analysis of modem and radio events.
  • Alert on devices exhibiting repeated baseband resets or unauthorized network attachments.

How to Mitigate CVE-2026-0120

Immediate Actions Required

  • Apply the March 2026 Android security patch (patch level 2026-03-01 or later) on all managed devices.
  • Prioritize patching for Pixel devices using the March 2026 Pixel Security Bulletin updates.
  • Identify and remediate devices that cannot receive vendor updates by restricting their use in sensitive environments.

Patch Information

Google addressed CVE-2026-0120 in the March 2026 Android Security Bulletin. Devices must be updated to security patch level 2026-03-01 or later. Pixel-specific fixes are documented in the Android Pixel Security Bulletin March 2026. Downstream OEMs distribute the modem firmware update through their respective release channels.

Workarounds

  • No vendor-provided workaround exists; patching is the only complete remediation.
  • Limit exposure by disabling cellular radios on at-risk devices when updates are unavailable.
  • Restrict use of unpatched devices to environments where rogue base station attacks are infeasible.
bash
# Verify Android security patch level via adb
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-03-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.