← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0109 · CWE-754 · Disclosed 2026-03-10

In dhd_tcpdata_info_get of dhd_ip

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is more like jamming one walkie-talkie in the room than cutting power to the whole building

CVE-2026-0109 is a denial-of-service flaw in dhd_tcpdata_info_get inside Android/Google Wi-Fi driver code (dhd_ip.c). The public description says no auth and no user interaction are needed, but the strongest authoritative scoping we found is Google's Android OSV entry for A-438245439, which narrows the affected range to the Pixel Watch family fixed at security patch level 2026-03-05; Google's Pixel March 2026 bulletin also tags it as Wifi and Moderate.

The 7.5 HIGH vector overstates operational risk for enterprise patch triage. CVSS treats this as generic network reachability, but in the real world the attacker likely needs RF proximity or a path through the local Wi-Fi environment, the impact is DoS only, there is no KEV listing, no public exploitation evidence, and the affected population appears far narrower than 'all Android'.

"Technically remote, practically local-radio DoS on a narrow Google device slice—not a 7.5 enterprise fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get into the target's Wi-Fi blast radius

The attacker first needs a delivery path to the vulnerable Wi-Fi stack. In practice that means local radio proximity, association to the same wireless environment, or another position that can feed crafted network traffic into the device's DHD path. Tooling would be ordinary wireless test gear plus packet-crafting frameworks such as Scapy with a monitor/injection-capable adapter.
Conditions required:
  • Target is an affected Google device in the vulnerable patch range
  • Attacker is physically nearby or otherwise positioned on the same Wi-Fi path
  • Wi-Fi is enabled and reachable
Where this breaks in practice:
  • This is not meaningfully internet-scalable like an edge appliance bug
  • RF proximity or local network position sharply cuts the exposed population
  • The best public version signal points to Pixel Watch-family scope, not broad enterprise endpoint scope
Detection/coverage: Traditional vuln scanners will not reliably validate this pre-auth wireless-driver condition. Wireless IDS may see malformed traffic, but most enterprises have limited telemetry at the handset/watch driver layer.
STEP 02

Deliver malformed traffic into dhd_tcpdata_info_get

Using packet-crafting tools such as Scapy, lorcon, or custom test harnesses, the attacker attempts to hit the precondition-check failure in dhd_tcpdata_info_get. The public record does not expose a weaponized PoC, so reproducing the precise trigger likely requires reverse engineering or vendor-driver diffing.
Conditions required:
  • A traffic pattern exists that reaches the vulnerable function
  • The device chipset/driver build matches the vulnerable implementation
Where this breaks in practice:
  • No public PoC located
  • Binary-driver issues are often fragile across device families and firmware revisions
  • Vendor bug is marked with a non-public Android bug ID, limiting copy-paste exploitability
Detection/coverage: Network sensors may only see malformed Wi-Fi/TCP traffic if positioned correctly. EDR on the endpoint usually has poor visibility into kernel/driver precondition failures on mobile devices.
STEP 03

Crash or wedge the Wi-Fi handling path

If the malformed input lands correctly, the vulnerable driver path can fail its precondition handling and trigger a denial of service. The practical effect is loss of connectivity, device instability, or service interruption rather than code execution or data theft.
Conditions required:
  • The malformed traffic reaches the vulnerable code path intact
  • Mitigations or robustness checks in the specific build do not absorb the fault
Where this breaks in practice:
  • Impact is availability-only
  • Blast radius is usually one device at a time unless the attacker is physically present near many targets
Detection/coverage: Look for kernel/driver crash artifacts, Wi-Fi resets, repeated disconnects, and MDM telemetry showing network instability after suspicious local wireless activity.
STEP 04

Repeat for nuisance-level disruption

A persistent attacker can replay the trigger to keep the device offline or unstable. That matters for executives or field staff carrying affected wearables, but it is still a localized disruption problem, not a fleet-wide enterprise takeover path.
Conditions required:
  • Attacker can remain within range or maintain network adjacency
  • Defender has not disabled/contained the local wireless exposure
Where this breaks in practice:
  • Sustained attack requires sustained presence
  • Physical proximity raises the chance of local detection or simple avoidance
Detection/coverage: Repeated connection failures in wireless logs or MDM event streams can expose a looping DoS pattern, but attribution to this CVE specifically will be weak.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence found in authoritative sources reviewed; CISA ADP SSVC on the CVE record shows Exploitation: none.
KEV statusNot listed in CISA KEV as of the catalog page reviewed.
Proof-of-concept availabilityNo public PoC located in GitHub-oriented searches or major public CVE aggregators during this review.
EPSS0.00201 (~0.201%) from the user-supplied intel; low by any practical prioritization standard. Percentile was not independently verified from FIRST during this session.
CVSS vs realityCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H says unauth remote DoS, but the operational catch is that this is a Wi-Fi driver path, so 'network' likely means local wireless reachability, not broad internet exposure.
Affected scopePublic CVE/NVD records are broad (google:android / Android kernel), but Google's Android OSV entry for A-438245439 narrows the affected range to Pixel Watch family.
Fixed versionSecurity patch level 2026-03-05 fixes the issue for the scoped OSV range; Google's Pixel bulletin says devices at 2026-03-05 or later address the March 2026 issues.
Vendor severity mismatchThe user-supplied baseline is HIGH 7.5, but Google's Pixel Update Bulletin labels CVE-2026-0109 as Moderate in the Wifi subcomponent. That mismatch is exactly why this needs reassessment.
Exposure and scanningNot meaningfully Shodan/Censys/FOFA scannable. This is endpoint-side wireless-driver exposure, so internet census data is the wrong lens.
DisclosurePublished 2026-03-10; NVD shows Google Devices as the source and CISA ADP supplied the 7.5 HIGH CVSS enrichment.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.7/10)

The decisive downgrading factor is attacker position: this appears to be a Wi-Fi-path driver DoS that is far closer to local-radio adjacency than true internet-wide unauthenticated remote reach. Add the likely Pixel Watch-family scope and availability-only impact, and this stops looking like a 7.5 patch-everything event.

HIGH Low exploitation pressure: no KEV, no public in-the-wild evidence, low EPSS
MEDIUM Affected population narrowing to Pixel Watch family based on Android OSV
MEDIUM Attack-path inference that practical reachability is local Wi-Fi/RF rather than internet-scale

Why this verdict

  • Attacker position downgrades this hard: a Wi-Fi driver flaw implies local wireless adjacency or equivalent path, not broad internet exposure.
  • Exposure population is narrow: the best version intelligence found points to Pixel Watch family rather than your general Windows/Linux/macOS fleet.
  • Impact is DoS only: no code execution, no privilege gain, no data compromise, and usually one device at a time.
  • Exploit pressure is weak: no KEV, no public exploitation evidence, and a very low EPSS signal.
  • Public exploitability is hampered: no public PoC found and the Android bug reference is non-public, which raises implementation friction.

Why not higher?

A higher severity would require either internet-scalable reachability, demonstrated exploitation, or broader blast radius. We have none of those here. The attack likely starts from local wireless position, lands on a narrow device family, and only produces availability loss.

Why not lower?

It is still a genuine remotely triggerable driver-level DoS with no user interaction once the attacker has the right position. If you actually manage affected Google wearables or similar devices in executive/VIP populations, nuisance disruption is real enough that this should not be ignored entirely.

05 · Compensating Control

What to do — in priority order.

  1. Inventory affected Google wearables — Use MDM or asset data to identify any Pixel Watch family devices below security patch level 2026-03-05. Because this is a LOW verdict, there is no mitigation SLA; do this as backlog hygiene during the next normal mobile security review.
  2. Restrict risky Wi-Fi exposure for sensitive users — For executives, admins, and field staff carrying affected devices, prefer trusted SSIDs and disable unnecessary Wi-Fi use in hostile environments until patched. This trims the only realistic attack surface—local wireless reachability—and for a LOW issue it belongs in the normal hardening cycle, not emergency change windows.
  3. Monitor for repeated Wi-Fi instability — Pull MDM, system, or support telemetry for repeated disconnects, Wi-Fi resets, or crash loops on affected devices. That will not prove exploitation, but it gives you a way to spot nuisance abuse while patching through the regular device-update process.
  4. Enforce current Android/Pixel patch baselines — Make 2026-03-05 or later the minimum acceptable patch level for the scoped Google devices in MDM compliance policy. For a LOW issue this is standard configuration hygiene rather than an urgent mitigation program.
What doesn't work
  • Perimeter vuln scanning doesn't help much, because this is not an internet-facing service signature you can reliably probe.
  • Server-side WAF or email controls are irrelevant; the attack path is wireless-driver parsing, not web or mail delivery.
  • MFA does nothing here because the issue is pre-auth DoS against the device's network stack, not account abuse.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor/admin workstation that has adb installed, with the target Google watch/Android device connected and authorized for debugging. Invoke it as ./check_cve_2026_0109.sh <serial> or ./check_cve_2026_0109.sh for a single attached device; no root is required, but USB debugging or equivalent adb access is.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_0109.sh
# Determine likely exposure to CVE-2026-0109 using Android/Google patch level data.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0 patched, 1 vulnerable, 2 unknown, 3 usage/runtime error

set -u

TARGET_SERIAL="${1:-}"
FIXED_SPL="2026-03-05"

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

adb_cmd() {
  if [[ -n "$TARGET_SERIAL" ]]; then
    adb -s "$TARGET_SERIAL" "$@"
  else
    adb "$@"
  fi
}

getprop_safe() {
  local key="$1"
  adb_cmd shell getprop "$key" 2>/dev/null | tr -d '\r'
}

if ! have_cmd adb; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

STATE=$(adb_cmd get-state 2>/dev/null || true)
if [[ "$STATE" != "device" ]]; then
  echo "UNKNOWN: no authorized adb device connected"
  exit 2
fi

MODEL=$(getprop_safe ro.product.model)
DEVICE=$(getprop_safe ro.product.device)
PRODUCT=$(getprop_safe ro.build.product)
BRAND=$(getprop_safe ro.product.brand)
MANUFACTURER=$(getprop_safe ro.product.manufacturer)
FINGERPRINT=$(getprop_safe ro.build.fingerprint)
SPL=$(getprop_safe ro.build.version.security_patch)
BUILD_ID=$(getprop_safe ro.build.id)

if [[ -z "$SPL" ]]; then
  echo "UNKNOWN: could not read security patch level"
  exit 2
fi

# Heuristic: Google/Pixel watch-family scoping is the strongest public version signal.
IS_GOOGLE=0
if echo "$BRAND $MANUFACTURER $MODEL $DEVICE $PRODUCT $FINGERPRINT" | grep -Eiq '(google|pixel)'; then
  IS_GOOGLE=1
fi

IS_WATCH_FAMILY=0
if echo "$MODEL $DEVICE $PRODUCT $FINGERPRINT" | grep -Eiq '(watch|eos|r11|pixelwatch|pixel_watch)'; then
  IS_WATCH_FAMILY=1
fi

if [[ "$IS_GOOGLE" -ne 1 ]]; then
  echo "UNKNOWN: device does not appear to be a Google/Pixel target"
  exit 2
fi

# Lexical compare works for YYYY-MM-DD dates.
if [[ "$SPL" < "$FIXED_SPL" ]]; then
  if [[ "$IS_WATCH_FAMILY" -eq 1 ]]; then
    echo "VULNERABLE: Google watch-family device below fixed SPL ($SPL < $FIXED_SPL); model=$MODEL build=$BUILD_ID"
    exit 1
  else
    echo "UNKNOWN: Google device below fixed SPL ($SPL < $FIXED_SPL) but public scoping is inconsistent; model=$MODEL build=$BUILD_ID"
    exit 2
  fi
else
  if [[ "$IS_WATCH_FAMILY" -eq 1 ]]; then
    echo "PATCHED: watch-family device at or above fixed SPL ($SPL >= $FIXED_SPL); model=$MODEL build=$BUILD_ID"
    exit 0
  else
    echo "PATCHED: Google device at or above March 2026 fixed SPL ($SPL >= $FIXED_SPL); model=$MODEL build=$BUILD_ID"
    exit 0
  fi
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, first verify whether you even have any Pixel Watch family / Google wearable assets below 2026-03-05; if you do not, this is basically a paperwork closeout. If you do, there is noisgate mitigation SLA for a LOW finding—no SLA (treat as backlog hygiene)—and there is effectively no urgent containment requirement here unless you have VIP users in hostile Wi-Fi environments; under the noisgate remediation SLA, keep it in the normal device-update stream rather than breaking change windows for it.

Sources

  1. Google Pixel Update Bulletin — March 2026
  2. Android Security Bulletin — March 2026
  3. NVD CVE-2026-0109
  4. Android OSV entry PUB-A-438245439
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS overview
  7. FIRST API documentation for EPSS
  8. OpenCVE summary for CVE-2026-0109
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.