This is a mislabeled fire alarm attached to a room you already had to break into
The underlying bug sits in Android's ManagedServices.java handling for notification-related managed services. Google shipped a fix in the March 2026 Android Security Bulletin, and the public references tie it to Android 14, 15, 16, and Android 16 QPR2 beta builds; the patch adds guardrails around how many services can be approved and only rebinding when state actually changes, which is consistent with preventing a notification-policy state desynchronization.
For enterprise prioritization, the vendor's HIGH 8.4 overstates reality. This is a local-only, post-compromise path that requires attacker code already running on the handset, has no internet-exposed surface, has no KEV listing, essentially no EPSS signal, no public PoC located, and the biggest practical fact of all: the CVE ID itself is now marked withdrawn in OSV/CVE-derived feeds, so this should not consume standalone patch-program attention.
3 steps from start to impact.
Land code execution on the device with a malicious APK
AV:L means the chain starts only after the device is already running attacker-controlled code.- Attacker can get an app installed or otherwise execute code on the handset
- Target is on an affected Android branch
- Managed enterprise devices often block unknown sources and enforce app allowlisting
- Google Play Protect, MDM policy, and user-install restrictions cut the reachable population sharply
- This prerequisite already implies a prior compromise stage
Abuse managed-service state transitions with a custom app
setPackageOrComponentEnabled. The patch shows the weak spot was state handling around approval lists and rebinding behavior; before the fix, malformed or excessive state changes could desynchronize policy from actual approval state.- Attacker app can invoke the relevant platform paths
- Device is unpatched for the March 2026 fix
- No public exploit kit or commodity tool was found for this CVE
- Abuse appears logic-specific rather than broadly weaponizable
- Modern mobile hardening reduces who can reliably reach these flows at scale
Gain notification-policy-adjacent privilege through desync
- The state desync actually grants usable access on the target build
- Enterprise controls do not already constrain notification access behavior
- Blast radius is device-local, not tenant-wide or remotely wormable
- Impact is meaningful on the handset but not equivalent to edge compromise of enterprise infrastructure
- Many enterprises can wipe, quarantine, or re-enroll a bad device once compromise is suspected
The supporting signals.
| CVE status | Withdrawn as shown by OSV, which mirrors the CVE record and lists withdrawal on 2026-05-04 |
|---|---|
| In-the-wild status | No evidence located of active exploitation; CISA KEV does not list it |
| Public PoC | No public GitHub PoC or exploit repository found in source review; available material is advisory-only |
| EPSS | User-supplied EPSS is 0.00005 (effectively noise-floor likelihood); even third-party mirrors keep it near zero |
| KEV | Not listed in the CISA Known Exploited Vulnerabilities Catalog |
| CVSS vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — the important bit is AV:L: attacker code must already be running on the device |
| Affected versions | Android 14, 15, 16, 16-qpr2 per the March 2026 bulletin and CVE-derived version records |
| Fix signal | Google's March 2026 bulletin includes the issue, and the referenced AOSP change adds service-count limits and only applies follow-on actions when state actually changed |
| Fixed version / patch level | Treat devices on Android security patch level 2026-03-01 or later as containing the bulletin fix; OEM backports may vary by handset |
| Exposure reality | This is not internet-scannable and has no meaningful Shodan/Censys/GreyNoise exposure picture because the vulnerable surface is local framework logic on the handset |
noisgate verdict.
The decisive factor is that this chain starts after code execution already exists on the Android device, which makes it a post-initial-access local privilege path rather than an enterprise intrusion driver. The final downgrade to IGNORE is driven by the CVE's withdrawn status, which means it should not be tracked as a live standalone identifier in your patch queue.
Why this verdict
- Starts post-compromise:
AV:Lmeans the attacker already has code running on the device; that is downward pressure from the first move of the chain. - No exposed edge surface: this is not a remotely reachable service, not scannable from the internet, and not something a perimeter attacker can hit across 10,000 endpoints.
- Exploit signal is weak-to-nonexistent: no KEV, no public PoC found, and EPSS is essentially at the floor.
- The identifier was withdrawn: that alone is enough to keep this out of active CVE-driven prioritization, even if the underlying March 2026 Android fix still exists.
Why not higher?
A higher bucket would require an attacker to reach this at scale before compromise or through a broadly exposed service. That is not the case here: the attack position is local, the reachable population is whatever subset of devices can be made to run a malicious app, and the CVE is no longer an active identifier.
Why not lower?
There is no lower bucket than IGNORE in this schema. Even so, you should not forget the underlying code change exists in the March 2026 Android bulletin; just track it as normal Android maintenance rather than as an emergency CVE event.
What to do — in priority order.
- Document the withdrawal — Mark
CVE-2026-0034as a withdrawn identifier in your VM platform and suppress emergency workflow generation. For anIGNOREverdict there is no action required beyond documenting rationale, but do it now so the ticket does not keep resurfacing. - Enforce managed mobile app controls — Keep sideloading blocked, require approved app stores, and maintain Play Protect/mobile threat defense because the real prerequisite is attacker code execution on-device. This is routine mobile hardening, not a special mitigation campaign; for
IGNORE, there is no dedicated SLA-triggered compensating-control push. - Roll the fix into normal Android bulletin hygiene — If your fleet still has devices below the March 2026 Android patch level, include the bulletin in standard OS update operations. This is housekeeping rather than incident-mode response because the CVE is withdrawn and the attack path is local-only.
- Perimeter scanning doesn't help; there is no remotely reachable network service to fingerprint for this bug.
- WAF, IPS, and email gateway tuning don't materially address the vulnerable code path because exploitation is not an inbound network attack.
- Chasing the CVE ID in edge exposure tools is wasted motion once the identifier is withdrawn.
Crowdsourced verification payload.
Run this on an auditor workstation with adb installed, not on the handset itself. Invoke it as ./check-cve-2026-0034.sh for the single attached device or ./check-cve-2026-0034.sh SERIAL123 for a specific device; it needs no root, just adb access and device authorization.
#!/usr/bin/env bash
# check-cve-2026-0034.sh
# Determine likely exposure to the March 2026 Android bulletin fix tied to CVE-2026-0034.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
TARGET_SPL="2026-03-01"
SERIAL_ARG="${1:-}"
ADB_BASE=(adb)
if ! command -v adb >/dev/null 2>&1; then
echo "UNKNOWN: adb not found in PATH"
exit 2
fi
if [[ -n "$SERIAL_ARG" ]]; then
ADB_BASE+=( -s "$SERIAL_ARG" )
fi
adb_getprop() {
"${ADB_BASE[@]}" shell getprop "$1" 2>/dev/null | tr -d '\r'
}
STATE=$("${ADB_BASE[@]}" get-state 2>/dev/null || true)
if [[ "$STATE" != "device" ]]; then
echo "UNKNOWN: no authorized adb device available"
exit 2
fi
SDK=$(adb_getprop ro.build.version.sdk)
SPL=$(adb_getprop ro.build.version.security_patch)
RELEASE=$(adb_getprop ro.build.version.release)
BUILD=$(adb_getprop ro.build.display.id)
if [[ -z "$SDK" || -z "$SPL" ]]; then
echo "UNKNOWN: unable to read required Android properties"
exit 2
fi
if ! [[ "$SDK" =~ ^[0-9]+$ ]]; then
echo "UNKNOWN: unexpected SDK value '$SDK'"
exit 2
fi
# Android 14/15/16 map to SDK 34/35/36.
AFFECTED=0
if [[ "$SDK" -ge 34 && "$SDK" -le 36 ]]; then
AFFECTED=1
fi
# String compare is safe here because patch levels are YYYY-MM-DD.
if [[ "$AFFECTED" -eq 1 ]]; then
if [[ "$SPL" < "$TARGET_SPL" ]]; then
echo "VULNERABLE: Android release=${RELEASE:-unknown} sdk=$SDK spl=$SPL build=${BUILD:-unknown}"
exit 1
else
echo "PATCHED: Android release=${RELEASE:-unknown} sdk=$SDK spl=$SPL build=${BUILD:-unknown}"
exit 0
fi
fi
# Not in the published affected Android branches.
echo "PATCHED: device not in published affected SDK range (sdk=$SDK release=${RELEASE:-unknown} spl=$SPL build=${BUILD:-unknown})"
exit 0
If you remember one thing.
CVE-2026-0034. Mark the ID as withdrawn in your vulnerability tracker, close any emergency ticket with rationale, and if any Android devices are still below the March 2026 bulletin level, fold them into normal mobile OS maintenance; for an IGNORE verdict there is noisgate mitigation SLA and noisgate remediation SLA action required beyond documentation, though standard Android patch hygiene should continue on its usual cadence.Sources
- Android Security Bulletin—March 2026
- AOSP fix commit for bug A-428701593
- AOSP diff showing `ManagedServices.java` and `NotificationManagerService.java` changes
- OSV record for CVE-2026-0034
- NVD record for CVE-2026-0034
- CISA Known Exploited Vulnerabilities Catalog
- FIRST EPSS overview
- CVE/ADP mirror exposing affected versions and SSVC fields
What defenders are saying.
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.