CVE-2026-0010 · In onTransact of IDrmManagerService.cpp, there is a possible out of bounds write due to a missing bounds check.

01 · The Real Story

This is a bad lock inside the apartment, not an open front door

CVE-2026-0010 is an Android local elevation-of-privilege bug in drm/common/IDrmManagerService.cpp reachable through Binder IPC. The March 2, 2026 Android bulletin lists affected AOSP releases as Android 14, 15, and 16, and the fix lands in the March 2026 patch train; the patch replaces unsafe formatting around the FileDescriptorKey handling path in onTransact, eliminating the out-of-bounds write condition.

Google's HIGH 8.4 label is technically understandable because memory corruption in a privileged service can end in full device compromise. But for enterprise patch triage this is overstated: the attacker already needs code execution on the handset, the flaw is local-only (AV:L), there is no KEV listing, the supplied EPSS is negligible (0.00003), and there is no public exploit chain showing reliable weaponization at scale. That combination pushes this out of emergency patch territory.

"Serious on a compromised handset, but it is still a local post-compromise Android privesc with no field evidence."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code execution on the handset

The attacker first needs a runnable process on the target Android device, typically a malicious APK, sideloaded app, or a separate remote bug that already gave app-level code execution. The practical weapon here is a malicious app or a chained exploit, not CVE-2026-0010 by itself. This prerequisite is the biggest severity brake because it means the CVE is not an initial-access bug.

Conditions required:

Attacker can execute code locally on the Android device
Target is running an affected Android 14/15/16 build before the March 2026 patch level

Where this breaks in practice:

Managed Android fleets often restrict app install sources via MDM
Google Play Protect and app vetting reduce mass delivery success
This implies the attacker is already past initial access

Detection/coverage: Traditional network scanners will miss this entirely. Mobile threat defense, EDR-for-mobile, app inventory, and MDM controls are the meaningful coverage layers.

STEP 02

Reach the DRM Binder service

From the local app context, the attacker uses a custom Binder client to talk to the DRM manager service and hit the vulnerable onTransact path. Binder is Android's local IPC fabric, so this traffic stays on-device and never creates a remotely scannable service surface. The exploit attempt depends on the service being reachable from the caller's SELinux and Binder context.

Conditions required:

Local process can issue Binder transactions
The targeted DRM service path is exposed to the app context on that build/OEM variant

Where this breaks in practice:

SELinux policy and service-specific permission checks can narrow reachability
OEM customizations may alter service behavior and exploit reliability
No internet-exposed port or externally reachable endpoint exists

Detection/coverage: Static code scanners and SBOMs can flag vulnerable build levels, but exposure validation usually requires build/SP level checks on-device.

STEP 03

Trigger the out-of-bounds write

The exploit sends a crafted transaction that abuses the FileDescriptorKey handling path, where the original code used fixed-size stack storage and unsafe formatting. A reliable exploit needs a custom Binder fuzzing/exploitation harness and enough precision to turn a crash into controlled corruption. The public patch proves the bug class, but no public weaponized PoC appears to be circulating.

Conditions required:

Precise malformed transaction data
Exploit reliability against the target build, architecture, and OEM hardening

Where this breaks in practice:

Memory-corruption exploitation on modern Android is non-trivial
Compiler hardening, SELinux, and per-build variance can turn weaponization into a device-specific exercise
Lack of public PoC raises operational cost for attackers

Detection/coverage: Crash telemetry, tombstones, and anomalous DRM service crashes are the likely breadcrumbs. Signature-based scanners generally won't see an exploit attempt directly.

STEP 04

Escape the app sandbox and operate with elevated privilege

If exploitation succeeds, the attacker can move from app context into a more privileged service context and defeat the normal Android application sandbox boundary. That unlocks data access or follow-on actions that a normal app should not have. Impact is serious on a single compromised device, but the blast radius remains per-device, not fleet-wide from one shot.

Conditions required:

Successful local exploitation
Useful post-exploitation path from the compromised DRM service context

Where this breaks in practice:

Compromise does not automatically spread across the fleet
Attack value is highest on already-targeted or high-interest handsets, not generic internet exposure

Detection/coverage: Mobile EDR, forensic collection, privilege-boundary anomaly detection, and device attestation drift are more relevant than perimeter telemetry.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found. Google's March 2026 bulletin calls out a different issue, `CVE-2026-21385`, as potentially under targeted exploitation; it does not make that claim for CVE-2026-0010. Source: Android bulletin
Proof-of-concept availability	No public PoC located. The public evidence is the AOSP fix commit and diff, which are enough for a capable exploit developer but not a turnkey weapon. Sources: commit, diff
EPSS	0.00003 from the supplied intel, which is effectively floor-level exploit likelihood in the next 30 days. FIRST defines EPSS as the probability of exploitation in the wild over the next 30 days and publishes daily score/percentile fields. Source: FIRST EPSS data notes
KEV status	Not KEV-listed per the supplied intel, and the authoritative catalog is CISA's KEV list. Source: CISA KEV catalog
CVSS vector reality check	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` means local-only exploitation with high impact after success. The `AV:L` term is the key downward pressure for enterprise prioritization: this is a privesc on a device you already landed on. Source: NVD
Affected versions	Google lists updated AOSP versions for this CVE as 14, 15, 16 in the `2026-03-01` patch level bulletin. Source: Android bulletin
Fixed versions	Treat devices with Android security patch level `2026-03-01` or later as fixed for this CVE, with OEM delivery timing varying by vendor. The code fix is present in AOSP via the public patch. Sources: Android bulletin, AOSP fix
Scanning / exposure data	Not internet-scannable in any meaningful sense. The vulnerable path is reached through Android Binder IPC, which is local interprocess communication rather than a network-facing service, so Shodan/Censys/FOFA-style exposure counts are not useful here. Source: Binder overview
Disclosure date	2026-03-02 in both the supplied intel and the Android bulletin publication date. Sources: Android bulletin, NVD
Reporter / researcher	No external finder credit is visible in the public bulletin. The public patch was authored by Kyle Zhang (Google), which suggests internal discovery or internal handling unless Google publishes fuller credit elsewhere. Source: AOSP commit metadata

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.9/10)

The decisive factor is attacker position: this bug is a local Android privesc, so the attacker already needs code execution on the handset before CVE-2026-0010 matters. With no KEV, no public PoC, and near-zero EPSS, the reachable population and observed threat pressure are both materially lower than the vendor baseline implies.

HIGH Local-only attacker-position assessment

MEDIUM Operational exploitability without a public PoC

MEDIUM Fleet-wide enterprise prioritization versus single-device technical impact

Why this verdict

Down from 8.4 because AV:L means post-compromise. An attacker must already be executing code on the device; that is a major real-world filter compared with remotely reachable bugs.
Down again because exposure population is narrow. This is Binder-mediated local IPC, not an internet-facing service, so external attack-surface size is effectively zero.
Down again because threat intel is cold. No KEV listing, no public exploitation claim, no public PoC, and the supplied EPSS of 0.00003 all argue against urgent mass exploitation risk.
Held at MEDIUM, not LOW, because successful exploitation breaks the Android app sandbox. Once triggered, the impact on an individual device can still be severe.

Why not higher?

This is not a one-packet fleet problem. It requires prior code execution on the handset and then a reliable local memory-corruption exploit path against a privileged service, which compounds attacker cost and cuts the exposed population dramatically. If this were remotely reachable, KEV-listed, or backed by a public exploit, the rating would move up fast.

Why not lower?

Do not shrug this off as harmless hygiene. A sandbox escape / privesc on managed mobile devices still matters because one malicious or compromised app can turn into a much deeper device compromise. The impact is strong enough that it belongs above backlog-only treatment, just not above remotely exploitable or actively exploited issues.

05 · Compensating Control

What to do — in priority order.

Restrict app installation paths — Use MDM to block sideloading, unknown sources, and unapproved app stores because this CVE needs local code execution first. For a MEDIUM verdict there is no mitigation SLA, but this is the best risk-reduction lever and should be enforced in your normal mobile policy cycle rather than waiting on the patch.
Enforce Play Protect and mobile threat defense — Keep Google Play Protect enabled and require your mobile threat defense agent on managed Android devices so malicious APK delivery is harder and suspicious app behavior is surfaced sooner. For MEDIUM, there is no mitigation SLA — go straight to the remediation window unless your environment allows broad sideloading.
Prioritize risky device cohorts — If you cannot update everything at once, move devices used by admins, executives, developers, shared kiosks, and BYOD-like exception groups to the front because the value of a local privesc is highest where device trust matters most. For MEDIUM, do this inside normal maintenance planning rather than emergency change control.

What doesn't work

Perimeter firewalls or WAFs do nothing here because the vulnerable surface is local Binder IPC, not a network service.
External attack-surface scanners like Shodan/Censys-style workflows do not help identify exposure because there is no internet-facing listener to fingerprint.
Password resets or MFA changes do not address the core issue; the risk is local privilege escalation after code execution on-device.

06 · Verification

Crowdsourced verification payload.

Run this on the target Android device shell through adb shell sh /data/local/tmp/check_cve_2026_0010.sh or from your EMM/MDM shell runner. It needs only standard shell access to read system properties; no root is required. Example: adb push check_cve_2026_0010.sh /data/local/tmp/ && adb shell sh /data/local/tmp/check_cve_2026_0010.sh.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/system/bin/sh
# check_cve_2026_0010.sh
# Determine likely exposure to CVE-2026-0010 using Android release and security patch level.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

TARGET_SPL="2026-03-01"

release="$(getprop ro.build.version.release)"
codename="$(getprop ro.build.version.release_or_codename)"
spl="$(getprop ro.build.version.security_patch)"
product="$(getprop ro.product.manufacturer) $(getprop ro.product.model)"

# Normalize release major version.
major=""
case "$release" in
  14|15|16)
    major="$release"
    ;;
  *)
    case "$codename" in
      14*|15*|16*) major="$(echo "$codename" | cut -d. -f1)" ;;
      *) major="" ;;
    esac
    ;;
esac

if [ -z "$spl" ]; then
  echo "UNKNOWN - missing security patch level property on $product"
  exit 2
fi

# Lexical compare works for YYYY-MM-DD format.
if [ -z "$major" ]; then
  echo "UNKNOWN - Android release '$release' / codename '$codename' not in known affected set; SPL=$spl on $product"
  exit 2
fi

if [ "$major" != "14" ] && [ "$major" != "15" ] && [ "$major" != "16" ]; then
  echo "PATCHED - release $major not listed as affected; SPL=$spl on $product"
  exit 0
fi

if [ "$spl" \< "$TARGET_SPL" ]; then
  echo "VULNERABLE - Android $major with SPL $spl is older than $TARGET_SPL on $product"
  exit 1
fi

echo "PATCHED - Android $major with SPL $spl meets or exceeds $TARGET_SPL on $product"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: treat this as mobile privesc debt, not an incident-level fire drill. Use MDM to inventory all Android 14/15/16 devices below security patch level 2026-03-01, keep sideloading and non-approved app sources locked down, and validate that Play Protect / mobile threat defense is enabled everywhere. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window, so the immediate task is accurate scoping and normal-risk reduction, then push the actual March 2026-or-later Android security update inside the noisgate remediation SLA of ≤365 days; if you have high-risk mobile cohorts, move them ahead of the general fleet even though this is not an emergency patch item.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.