← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0110 · CWE-120 · Disclosed 2026-03-10

In MM_DATA_IND of cn_NrSmMsgHdlrFromMM

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a trapdoor in the phone’s radio stack, not a front door on your perimeter

CVE-2026-0110 is a memory-corruption bug in the Pixel modem path, specifically MM_DATA_IND in cn_NrSmMsgHdlrFromMM.cpp, that Google describes as a possible elevation of privilege. Public Android/Pixel advisories tie it to the Modem subcomponent and state that patch levels 2026-03-05 or later address it on supported Google devices. Inference: despite the CNA CVSS vector saying AV:N/PR:N/UI:N, this is not a normal IP-reachable service; the reachable surface is the cellular/baseband signaling path.

The vendor baseline of CRITICAL 9.8 overstates enterprise patch urgency for most fleets because the hardest part is not memory corruption, it is getting controlled input into the modem from the right attacker position. In practice this looks more like a targeted baseband exploit requiring rogue radio infrastructure, carrier-adjacent capability, or a very specialized telecom lab setup—not an internet worm. It is still serious because exploitation is no-click and below the app layer, but for a 10,000-host enterprise this is a HIGH, not a drop-everything CRITICAL.

"Dangerous no-click modem bug, but not an internet-scale fire: telecom-side reachability is the real limiter."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get telecom-path access

The attacker first needs a way to feed malformed signaling or modem-facing data into the target device. A realistic weaponized setup is a rogue or research 5G environment using tools such as srsRAN gNB components and an open 5G core like OpenAirInterface, or equivalent carrier-side access. This is the make-or-break prerequisite: without radio-path control, the CVSS AV:N label is misleadingly generous.
Conditions required:
  • Target uses an affected Google/Pixel device
  • Attacker can influence cellular signaling/data reaching the modem
  • Device is on a network mode/path that exercises the vulnerable code
Where this breaks in practice:
  • Requires telecom-specific infrastructure or carrier-adjacent access, not just internet reachability
  • Many enterprise defenders will never expose phones to attacker-controlled RF environments at scale
  • Carrier, geography, band support, and handset model differences make exploit delivery less portable
Detection/coverage: Traditional vuln scanners do not see this step. Network IDS/WAF/NGFW coverage is effectively none because the traffic is radio/baseband-side, not enterprise TCP application traffic.
STEP 02

Trigger MM_DATA_IND memory corruption

Once the attacker can reach the modem parser, they attempt to send crafted data that corrupts memory in MM_DATA_IND within cn_NrSmMsgHdlrFromMM.cpp. Google classifies the result as EoP with no user interaction. Inference: the exploit likely depends on precise parser state and modem build behavior, so portability across devices and carrier firmware variants is a real engineering burden.
Conditions required:
  • A vulnerable pre-2026-03-05 build is present
  • The vulnerable modem code path is enabled on that device/firmware combination
  • Attacker payload matches the target modem implementation closely enough to corrupt memory predictably
Where this breaks in practice:
  • No public PoC located from authoritative sources
  • Closed-source vendor modem binaries reduce exploit development speed
  • Crash-only behavior is far easier than reliable privilege escalation
Detection/coverage: Detection is mostly indirect: modem crashes, radio resets, unexpected connectivity drops, or forensic artifacts after compromise. Commodity EDR on Android generally has poor visibility into modem internals.
STEP 03

Convert corruption into privilege gain

The attacker then needs to turn memory corruption into meaningful privilege escalation on the device. That is the difference between a bug that reboots radios and a bug that yields durable control or a stepping stone into the application processor. This stage is why baseband exploitation remains high value but also high effort.
Conditions required:
  • Exploit chain achieves controlled memory primitives rather than a simple crash
  • The target build lacks enough hardening to block stable exploitation
  • Attacker has device-specific exploit reliability
Where this breaks in practice:
  • Modern mitigations and device-specific hardening reduce exploit reliability
  • Exploit chains may need per-model or per-build tuning
  • Blast radius is one handset at a time, not one server leading to one domain
Detection/coverage: You usually detect this by patch-level compliance and high-risk-user telemetry, not signature-based exploit detection. MDM can confirm patch level; it cannot confirm exploit absence.
STEP 04

Operationalize on the handset

If exploitation succeeds, the attacker can potentially use the phone as a surveillance, credential, or messaging foothold. In enterprise terms, the most realistic business impact is compromise of a managed mobile endpoint used by an executive, traveler, or admin—not mass compromise of every handset in the fleet.
Conditions required:
  • Compromised handset has access to enterprise apps, tokens, or sensitive communications
  • Attacker can persist or at least extract useful data before the device updates or reboots
Where this breaks in practice:
  • MDM, app sandboxing, and token protections may still constrain post-exploit abuse
  • Many corporate mobile devices have limited local privilege value compared with laptops and servers
Detection/coverage: Look for anomalous device behavior, MDM compliance drift, repeated radio instability, and high-risk-user targeting patterns. There is no reliable remote network scan that will tell you this handset is being exploited.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative evidence of active exploitation found in Google bulletins or CISA KEV. This is not one of the Android issues Google explicitly called out as under exploitation in March 2026.
Proof-of-concept availabilityNo public PoC or exploit repo located from authoritative sources. Inference: exploitation likely remains in the domain of specialized baseband researchers or nation-state-grade mobile operators rather than commodity crimeware.
EPSS0.00238 (~0.238% 30-day probability). That is very low and aligns with a targeted, hard-to-reach bug rather than broad internet exploitation.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities Catalog as of this assessment.
CVSS vector reality checkVendor/CNA vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, but the important nuance is that AV:N maps here to cellular/network-plane reachability, not a normal internet-exposed daemon. That sharply reduces reachable population.
Affected versionsPublic bulletin evidence ties the bug to supported Google/Pixel devices before patch level 2026-03-05. Google marks it in the Pixel bulletin under Modem rather than the generic AOSP tables.
Fixed versionPatched by Pixel security patch level 2026-03-05 or later. The issue is marked with a non-public Android bug ID (A-440358226 *), which indicates the fix is generally in vendor binary drivers rather than a public AOSP code review.
Exposure / scanning realityNo meaningful Shodan/Censys/FOFA exposure metric applies. Inference: this is a radio/baseband surface, so internet scan platforms and GreyNoise-style HTTP telemetry are the wrong lens.
Disclosure datePublicly disclosed 2026-03-10; Pixel bulletin published 2026-03-03 and updated 2026-03-09.
Reporter / attributionCNA/source is Google Devices / Android. No public finder credit was visible in the advisory material reviewed.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (7.4/10)

The decisive downshift from CRITICAL is the attacker-position requirement: this bug lives on the modem path, so exploitation needs telecom-path reachability rather than ordinary internet exposure. That keeps the reachable population and operational blast radius much narrower even though the underlying bug class and no-click nature are both nasty.

HIGH Patch metadata and affected/fixed patch level
MEDIUM Real-world exploitability downgrade from vendor CVSS
LOW Exact exploit chain details inside the closed modem implementation

Why this verdict

  • Baseline starts at 9.8, then drops hard on attacker position: vendor scoring treats this like generic network reachability, but the real prerequisite is modem-path access via telecom infrastructure or equivalent capability.
  • Reachable population is narrow: only affected Google/Pixel devices before 2026-03-05 are in scope, and even there the exploit path depends on radio conditions, modem implementation, and carrier context.
  • Threat intel is cold: no KEV listing, no authoritative exploitation notice for this CVE, no public PoC found, and EPSS is very low.

Why not higher?

If this were an ordinary internet-facing daemon with the same no-auth/no-click profile, it would stay CRITICAL. But this is a baseband/modem path issue, and each extra prerequisite—radio-path control, device specificity, closed binary behavior—compounds downward pressure on mass exploitation risk.

Why not lower?

It is still a remote, no-click memory-corruption bug in a security-sensitive component, and successful exploitation could compromise a managed mobile endpoint below the app layer. For executives, travelers, journalists, or staff exposed to hostile RF environments, the risk remains materially higher than backlog-grade mobile noise.

05 · Compensating Control

What to do — in priority order.

  1. Enforce Pixel patch compliance — Use MDM or ADB-based compliance checks to identify devices below security patch level 2026-03-05 and drive them to compliance within 30 days. This is the cleanest control because scanner visibility into modem bugs is weak and patch level is the only durable signal.
  2. Prioritize high-risk users first — Move executives, administrators, frequent travelers, and field staff onto patched devices first, within 30 days. Their exposure to targeted surveillance and hostile RF environments is the practical amplifier for this bug.
  3. Retire unsupported Pixel models — Identify Pixel 5a and earlier devices that no longer receive security updates and remove them from trusted access paths within 30 days if they cannot receive the March 2026 patch train. Unsupported handsets turn a bounded patching problem into permanent residual risk.
  4. Reduce risky radio exposure where feasible — For high-risk cohorts, restrict unnecessary roaming/test networks and prefer managed carrier profiles or safer connectivity options until patched, within 30 days. This does not fix the bug, but it reduces opportunities for hostile telecom-path interaction.
What doesn't work
  • WAF, NGFW, and internet IDS: the vulnerable surface is the modem/baseband path, not your web stack.
  • App allowlisting or mobile threat defense alone: those controls sit above the radio stack and may never see exploit delivery.
  • Waiting for vuln scanners to prove exposure: they generally cannot inspect closed modem parser state; patch-level verification is the only reliable fleet signal.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed against a USB- or network-connected Pixel device. Invoke it as ./check-cve-2026-0110.sh SERIAL or ./check-cve-2026-0110.sh for the default connected device; no root is required, but the device must allow ADB access.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2026-0110.sh
# Verify whether a connected Android/Pixel device is patched for CVE-2026-0110
# Logic:
#   - Reads model and security patch level via adb.
#   - Treats SPL >= 2026-03-05 as PATCHED per Google's March 2026 Pixel bulletin.
#   - Outputs VULNERABLE / PATCHED / UNKNOWN and exits non-zero on UNKNOWN/VULNERABLE.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / execution error

set -euo pipefail

TARGET="${1:-}"
ADB=(adb)
if [[ -n "$TARGET" ]]; then
  ADB+=( -s "$TARGET" )
fi

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

command -v adb >/dev/null 2>&1 || fail_unknown "adb not found in PATH"

STATE="$(${ADB[@]} get-state 2>/dev/null || true)"
[[ "$STATE" == "device" ]] || fail_unknown "no accessible adb device"

getprop_safe() {
  local prop="$1"
  ${ADB[@]} shell getprop "$prop" 2>/dev/null | tr -d '\r'
}

MODEL="$(getprop_safe ro.product.model)"
MANUFACTURER="$(getprop_safe ro.product.manufacturer)"
BRAND="$(getprop_safe ro.product.brand)"
PATCH_LEVEL="$(getprop_safe ro.build.version.security_patch)"
BUILD_ID="$(getprop_safe ro.build.id)"
ANDROID_VER="$(getprop_safe ro.build.version.release)"

if [[ -z "$PATCH_LEVEL" ]]; then
  fail_unknown "security patch level unavailable"
fi

# Normalize date comparison by removing dashes.
PATCH_NUM="${PATCH_LEVEL//-/}"
FIXED_NUM="20260305"

IS_PIXEL="false"
shopt -s nocasematch
if [[ "$MODEL" == Pixel* || "$MANUFACTURER" == "Google" || "$BRAND" == "google" ]]; then
  IS_PIXEL="true"
fi
shopt -u nocasematch

echo "Model: ${MODEL:-unknown}"
echo "Manufacturer: ${MANUFACTURER:-unknown}"
echo "Brand: ${BRAND:-unknown}"
echo "Android: ${ANDROID_VER:-unknown}"
echo "Build ID: ${BUILD_ID:-unknown}"
echo "Security Patch Level: ${PATCH_LEVEL}"

if [[ "$IS_PIXEL" != "true" ]]; then
  echo "UNKNOWN: device does not appear to be a Google Pixel; public fix guidance reviewed was Pixel-specific for CVE-2026-0110"
  exit 2
fi

if [[ "$PATCH_NUM" =~ ^[0-9]{8}$ ]]; then
  if (( PATCH_NUM >= FIXED_NUM )); then
    echo "PATCHED: Pixel security patch level is ${PATCH_LEVEL}, which is at or above 2026-03-05"
    exit 0
  else
    echo "VULNERABLE: Pixel security patch level is ${PATCH_LEVEL}, below 2026-03-05"
    exit 1
  fi
else
  fail_unknown "unrecognized security patch format: $PATCH_LEVEL"
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a mobile fleet priority, not an all-hands perimeter emergency: inventory all managed Google Pixel devices, identify anything below 2026-03-05, and push temporary exposure-reduction controls for high-risk users under the noisgate mitigation SLA of ≤30 days while you drive the actual patch rollout under the noisgate remediation SLA of ≤180 days. In practice, that means patch your supported Pixel estate this month, move executives/travelers first, and remove unsupported older Pixel devices from trusted mobile access paths rather than pretending your server-side controls will save you.

Sources

  1. Google Pixel Update Bulletin — March 2026
  2. Android Security Bulletin — March 2026
  3. Android OSV record PUB-A-440358226
  4. Pixel update schedule / checking security patch level
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS data statistics
  7. srsRAN Project documentation
  8. OpenAirInterface 5G Core Network project
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.