CVE-2026-0109 - Vulnerability Details

- Android dhd_ip.c Denial of Service via TCP Data Info Retrieval

Description

In dhd_tcpdata_info_get of dhd_ip.c, there is a possible Denial of Service due to a precondition check failure. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-03-10

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the dhd_tcpdata_info_get function of dhd_ip.c within the Android operating system. A precondition check failure can trigger a remote denial of service. The flaw allows an attacker to interrupt network traffic handling with no privileges or user interaction. The impact is that the affected device can become unresponsive or malfunction in its network stack, compromising availability.

Affected Systems

All Android devices running the affected build of the operating system are at risk. No specific version or build details are provided by the CNA, so all deployments of Google:Android should be considered potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% suggests the probability of exploitation remains low at present, and the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the flaw remotely via the device’s network interface without requiring elevated privileges or user interaction. The high score combined with the low EPSS points to a moderate overall risk that warrants timely mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`Android kernel`	affected	—

Configuration 1 [-]

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`Android kernel`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Android operating system to the latest version that includes the vendor patch for this issue.
Apply the official security patch or update as soon as it becomes available from Google for your device.
If the patch cannot be applied immediately, isolate the device from untrusted networks or disable unused network interfaces to reduce exposure.
Continuously monitor device logs for signs of repeated network failures or abnormal traffic that may indicate exploitation.

Generated by OpenCVE AI on April 16, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00193.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-03-01
https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01

History

Thu, 16 Apr 2026 03:45:00 +0000

Type	Values Removed	Values Added
Title		Android dhd_ip.c Denial of Service via TCP Data Info Retrieval

Thu, 12 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1419
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-754
CPEs		cpe:2.3:o:google:android:-:::::::*

Wed, 11 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
References		https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
Vendors & Products		Google Google android

Tue, 10 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
References	https://source.android.com/security/bulletin/pixel/2026-03-01

Tue, 10 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		https://source.android.com/docs/security/bulletin/2026/2026-03-01

Tue, 10 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		In dhd_tcpdata_info_get of dhd_ip.c, there is a possible Denial of Service due to a precondition check failure. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/security/bulletin/pixel/2026-03-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published: 2026-03-10T20:46:38.555Z

Updated: 2026-03-11T14:57:20.090Z

Reserved: 2025-10-23T08:43:01.281Z

Link: CVE-2026-0109

Vulnrichment

Updated: 2026-03-11T14:57:11.611Z

NVD

Status : Analyzed

Published: 2026-03-10T21:16:44.333

Modified: 2026-03-11T17:14:20.203

Link: CVE-2026-0109

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object