Description
In multiple locations, there is a possible out of bounds read and write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

In Android 16.0, multiple code paths can trigger a heap buffer overflow, resulting in out‑of‑bounds reads and writes. The flaw can be exploited by a remote attacker to execute arbitrary code without needing elevated privileges, and the attack does not require any action from the device user.

Affected Systems

Google Android 16.0 devices are affected. The vulnerability is present in the core operating system, so all devices running this version (or any earlier unpatched releases containing the same code) are at risk.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating critical severity, with an EPSS score of less than 1% – exploitation is possible but rare in the wild. Not listed in the CISA Known Exploited Vulnerabilities catalog, the vulnerability remains a high‑risk target for attackers exploiting remote code execution with no user interaction.

Generated by OpenCVE AI on April 16, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch for version 16.0 issued on March 1 2026.
  • If an immediate OS update is not possible, disable or restrict any services or applications that invoke the flawed code path and block associated remote traffic at the network perimeter.
  • Deploy monitoring to detect anomalous network activity that could indicate exploitation attempts against the vulnerable component.

Generated by OpenCVE AI on April 16, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In multiple locations, there is a possible out of bounds read and write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:46:43.807Z

Reserved: 2025-10-15T15:38:12.597Z

Link: CVE-2026-0006

cve-icon Vulnrichment

Updated: 2026-03-02T21:51:46.568Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:29.140

Modified: 2026-03-06T04:16:02.823

Link: CVE-2026-0006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses