CVE-2026-0117 · In mfc_dec_dqbuf of mfc_dec_v4l2.c, there is a possible out of bounds write due to an incorrect bounds check.

01 · The Real Story

This is a hidden trapdoor inside the building, not a front-door break-in

CVE-2026-0117 is an out-of-bounds write in mfc_dec_dqbuf inside the MFC/V4L2 media path, yielding local elevation of privilege. The authoritative scope is narrower than the generic Android wording suggests: OSV tags it as Pixel-family specific and marks it fixed at the 2026-03-05 security patch level, while the Pixel March 2026 bulletin lists it under the MFC subcomponent as EoP High.

The vendor's 8.4/HIGH score is technically defensible in a lab because successful exploitation can plausibly end in kernel-level compromise with no user interaction. In enterprise reality, though, the biggest fact is the one CVSS hides in plain sight: AV:L means the attacker already has code execution on the phone, so this is mostly a stage-two privilege escalator with a narrower affected population and no current exploitation signal.

"Serious once malware lands, but this is a post-compromise Pixel-local privesc, not a fleet-wide fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code execution on the device

The attacker first needs a runnable foothold on the target phone, typically a malicious app, abused enterprise-signed app, test harness, or adb shell access. CVSS says PR:N/UI:N, but that does not mean remote unauthenticated reachability; it means once code is running locally, no extra Android privilege is required to start the exploit chain.

Conditions required:

Attacker can execute code locally on the phone
Target is an affected Google Pixel-family device
Device security patch level is earlier than 2026-03-05

Where this breaks in practice:

Managed Play-only fleets, strong MDM, and blocked sideloading reduce how often stage one exists
USB debugging and developer access are commonly disabled in managed fleets
This prerequisite already implies partial compromise

Detection/coverage: Mobile EDR/MTD and MDM telemetry are best placed to catch the prerequisite. Network scanners will not see this step.

STEP 02

Reach the vulnerable MFC decode path

A custom exploit app or JNI harness drives the media stack toward the MFC decoder path and eventually into mfc_dec_dqbuf. This is a hardware/driver-specific path, so exploit authors need a device where the vulnerable MFC implementation is actually present and reachable.

Conditions required:

MFC subcomponent is present on the target build
Exploit code can interact with the media/V4L2 path
Build has not received the March 2026 Pixel fix

Where this breaks in practice:

OSV marks the issue as Pixel-family specific rather than broad AOSP-wide
Device/firmware variance makes one-size-fits-all weaponization harder
Some fleets have low app diversity and tighter runtime controls

Detection/coverage: Static vuln scanners generally infer exposure from patch level, not live exploitability. Behavioral detection would need visibility into unusual media-device access or suspicious codec interaction.

STEP 03

Trigger the out-of-bounds write

The exploit supplies crafted state so the incorrect bounds check in mfc_dec_dqbuf produces an out-of-bounds write. From there the attacker aims to corrupt adjacent kernel memory in a controlled enough way to pivot into privilege escalation.

Conditions required:

Exploit has target-specific knowledge of memory layout and driver behavior
The write can be made reliable on the target build

Where this breaks in practice:

Kernel exploit reliability is materially harder than just reaching a vulnerable function
Modern mitigations such as SELinux, hardening, allocator behavior, and build differences can turn crashes into failed exploitation

Detection/coverage: Likely observables are instability, crashes, or anomalous access to media device nodes; signature-based vulnerability scanners will not validate this live.

STEP 04

Convert corruption into root-level impact

If exploitation succeeds, the attacker can elevate from app context into highly privileged kernel or system execution. That can undermine mobile controls, expose enterprise data, and potentially neutralize local security tooling on the device.

Conditions required:

Successful kernel memory corruption primitive
Ability to chain the primitive into usable privilege escalation

Where this breaks in practice:

No public PoC or in-the-wild evidence was located in the reviewed sources
Mobile post-exploitation still has to survive persistence, update cycles, and MDM response

Detection/coverage: Look for sudden privilege changes, tampering with security tooling, suspicious persistence, or crash-to-compromise patterns on affected Pixels.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No active exploitation evidence located. `KEV: no` appears in OpenCVE enrichment, and the reviewed Google advisories do not mention exploitation.
Proof-of-concept availability	No public PoC found in the reviewed sources. Search results reviewed did not surface a GitHub or Exploit-DB weaponization; that is an inference from available sources, not a vendor statement.
EPSS	Low threat signal. Reviewed CVE aggregators show `EPSS 0.01%`; percentile was not exposed in the sources reviewed.
KEV status	Not KEV-listed. No CISA KEV entry was found for `CVE-2026-0117`, so there is no federal due date tied to KEV.
CVSS vector reality check	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` means local code execution first, then big impact. That is classic post-initial-access privesc math.
Affected versions	Narrower than generic Android wording. OSV marks the issue as `Pixel-family specific`; the Pixel bulletin places it in the `MFC` subcomponent.
Fixed version	Fixed at Pixel security patch level `2026-03-05`. Google states security patch levels of `2026-03-05` or later address all issues in the March 2026 Pixel bulletin.
Scanning / exposure data	Not internet-addressable. This is a local device-side bug, so Shodan/Censys/FOFA-style external exposure counting is mostly irrelevant; patch-level inventory is the right lens.
Disclosure timeline	Disclosed `2026-03-10`. NVD published the CVE on `2026-03-10`, and the Pixel bulletin was last updated `2026-03-10 UTC`.
Reporting / ownership	Assigner: `Google_Devices`. OpenCVE shows discovery as `UNKNOWN`, so there is no named external researcher in the reviewed authoritative records.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.9/10)

The decisive downgrade factor is attacker position: this bug requires local code execution on the phone before it matters, which makes it a post-compromise escalator rather than an initial-access event. The affected population is also narrower than the generic Android label suggests because the authoritative OSV record marks it as Pixel-family specific and fixed at the 2026-03-05 patch level.

HIGH This is a local post-initial-access privilege escalation, not a remotely reachable fleet-wide entry point

MEDIUM Affected scope is Pixel-family specific based on OSV and the Pixel bulletin

Why this verdict

Started from vendor 8.4/HIGH because successful exploitation can plausibly deliver full device compromise
Minus for attacker position: AV:L means the adversary already runs code on the device, which implies a prior compromise stage and sharply narrows reachable targets
Minus for exposure population: OSV marks the issue Pixel-family specific, so this is not a broad all-Android emergency
Minus for threat evidence: no KEV listing, no public PoC located in reviewed sources, and only 0.01% EPSS signal

Why not higher?

There is no sign this is crossing the line from technical severity into operational urgency. Without remote reachability, KEV status, public weaponization, or exploitation evidence, treating it like a top-tier emergency for a 10,000-device fleet would waste scarce patching attention.

Why not lower?

Once malicious code is already on an affected device, this is still a serious privilege boundary failure with high-impact outcomes. On managed mobile fleets, a successful local privesc can break work-profile isolation, undermine MTD/EDR, and expose enterprise credentials or data.

05 · Compensating Control

What to do — in priority order.

Enforce trusted-app-only policy — Reduce the only practical entry condition: local code execution. Keep Play-only or allowlisted enterprise app install policies in place and review exceptions now; for a MEDIUM verdict there is no mitigation SLA, so do this in the normal hardening cycle while driving remediation inside the 365-day patch window.
Disable sideloading and USB debugging — This removes two common ways attackers and red teams land local code on managed phones. Push the policy through MDM for all non-developer cohorts; again, there is no mitigation SLA here, so treat it as standard fleet hygiene rather than an emergency block.
Prioritize risky cohorts — Developer devices, executive devices, test phones, and users with broader app install freedom have the highest chance of satisfying the local-execution prerequisite. Re-scope those groups first in your mobile vulnerability dashboard and fold them into the next update wave.
Monitor unusual media-device access — If your mobile telemetry stack exposes suspicious codec or device-node access, alert on apps touching video/codec paths without a legitimate business reason. This is a weak but useful tripwire for exploitation attempts and post-exploitation testing.

What doesn't work

Perimeter controls like WAF, IPS, or email gateway tuning do not address the vulnerable step because the exploit path is local on-device.
MFA does not mitigate a kernel/media driver local privilege escalation once malicious code already runs on the phone.
Relying only on network vulnerability scanners will miss the real risk picture; this needs patch-level inventory and mobile fleet management data, not external exposure scans.

06 · Verification

Crowdsourced verification payload.

Run this on the target Android/Pixel device via adb shell sh /data/local/tmp/check-cve-2026-0117.sh or through your MDM agent's shell task runner. It needs only normal shell access; root is not required. The script checks whether the device looks like a Google/Pixel-class target and whether its ro.build.version.security_patch is earlier than 2026-03-05.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/system/bin/sh
# check-cve-2026-0117.sh
# Purpose: best-effort verification for CVE-2026-0117 exposure on Android/Pixel devices
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

TARGET_SPL="2026-03-05"

getp() {
  getprop "$1" 2>/dev/null
}

normalize_date() {
  echo "$1" | tr -d '-'
}

SPL="$(getp ro.build.version.security_patch)"
BRAND="$(getp ro.product.brand)"
MANUFACTURER="$(getp ro.product.manufacturer)"
MODEL="$(getp ro.product.model)"
DEVICE="$(getp ro.product.device)"

if [ -z "$SPL" ]; then
  echo "UNKNOWN"
  echo "reason=missing_security_patch_property"
  exit 2
fi

case "$(echo "$BRAND $MANUFACTURER" | tr '[:upper:]' '[:lower:]')" in
  *google*)
    IS_GOOGLE=1
    ;;
  *)
    IS_GOOGLE=0
    ;;
esac

# OSV marks this issue Pixel-family specific. If this does not look like a Google device,
# we cannot confidently label it vulnerable from patch level alone.
if [ "$IS_GOOGLE" -ne 1 ]; then
  echo "UNKNOWN"
  echo "reason=non_google_or_non_pixel_scope"
  echo "brand=$BRAND"
  echo "manufacturer=$MANUFACTURER"
  echo "model=$MODEL"
  echo "device=$DEVICE"
  echo "security_patch=$SPL"
  exit 2
fi

SPL_NUM="$(normalize_date "$SPL")"
TARGET_NUM="$(normalize_date "$TARGET_SPL")"

case "$SPL_NUM" in
  ''|*[!0-9]*)
    echo "UNKNOWN"
    echo "reason=unparseable_security_patch"
    echo "security_patch=$SPL"
    exit 2
    ;;
esac

HAS_VIDEO=0
ls /dev/video* >/dev/null 2>&1 && HAS_VIDEO=1

if [ "$SPL_NUM" -ge "$TARGET_NUM" ]; then
  echo "PATCHED"
  echo "brand=$BRAND"
  echo "manufacturer=$MANUFACTURER"
  echo "model=$MODEL"
  echo "device=$DEVICE"
  echo "security_patch=$SPL"
  exit 0
fi

# Pre-fix Google device. Presence of /dev/video* increases confidence that media device nodes exist,
# but absence does not prove safety because access may be hidden or restricted.
if [ "$HAS_VIDEO" -eq 1 ]; then
  echo "VULNERABLE"
  echo "brand=$BRAND"
  echo "manufacturer=$MANUFACTURER"
  echo "model=$MODEL"
  echo "device=$DEVICE"
  echo "security_patch=$SPL"
  echo "evidence=pre_2026_03_05_patch_and_video_nodes_present"
  exit 1
fi

echo "VULNERABLE"
echo "brand=$BRAND"
echo "manufacturer=$MANUFACTURER"
echo "model=$MODEL"
echo "device=$DEVICE"
echo "security_patch=$SPL"
echo "evidence=pre_2026_03_05_patch_level"
exit 1

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull a fleet report for Google Pixel devices and sort by ro.build.version.security_patch, flagging anything earlier than 2026-03-05. Because this is a post-initial-access local privesc with no KEV listing or reviewed exploitation evidence, there is noisgate mitigation SLA — go straight to the 365-day remediation window; use the noisgate remediation SLA to get every affected device to 2026-03-05 or later within 365 days, but front-load higher-risk cohorts like developer phones, sideload-enabled users, USB-debug-enabled devices, and executive endpoints in the next maintenance cycle.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.