← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0111 · CWE-787 · Disclosed 2026-03-10

In ns_GetUserData of ns_SmscbUtilities

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a front door left open than a bad lock hidden inside the cell tower handshake

The bug is an out-of-bounds write in ns_GetUserData inside ns_SmscbUtilities.c, a telephony/baseband-facing parser path associated with cellular messaging utilities. In practical terms, the affected population is not all Android devices on the internet; Google's own March 2026 Pixel bulletin places CVE-2026-0111 in the Cellular Modem and rates it High, so the real exposure is unpatched Pixel devices carrying the vulnerable modem firmware before the March 2026 security update level.

The generic 9.8/AV:N label overstates enterprise risk because it treats 'network' like routable internet reachability. Here, the attacker path is the cellular radio stack, which usually implies rogue base-station proximity, carrier/signaling access, or similarly specialized positioning; that sharply narrows who can actually exploit it at scale even though the underlying bug class is dangerous.

"Serious for unpatched Pixel fleets, but this is not a commodity internet-wide Android 9.8 event"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get onto the radio path with srsRAN or carrier-grade access

An attacker first needs a way to feed crafted cellular traffic to the target modem. In the real world that usually means proximity plus SDR/rogue-base-station tooling such as srsRAN, or access inside a carrier/signaling environment; this is very different from commodity internet reachability.
Conditions required:
  • Target device is using cellular service and has the affected modem firmware
  • Attacker has physical proximity with SDR infrastructure, or privileged telecom/network position
  • Device is not already on a patched March 2026-or-later modem build
Where this breaks in practice:
  • Requires specialized radio tooling, spectrum knowledge, and operational setup
  • Illegal or conspicuous in many jurisdictions and environments
  • Many enterprise users spend large portions of the day on managed Wi-Fi instead of exposed cellular paths
Detection/coverage: Traditional vuln scanners will not see this path. Detection is mostly indirect: unusual modem resets, telephony crashes, carrier anomalies, or lab reproduction.
STEP 02

Deliver malformed cellular messaging data into ns_GetUserData

The attacker then has to craft traffic that reaches the vulnerable parser in ns_SmscbUtilities.c. The public record describes an incorrect bounds check, but there is no public exploit or packet recipe, so the attacker still has to reverse the modem path and build a working trigger.
Conditions required:
  • Precise protocol knowledge of the vulnerable message format/path
  • Vulnerable Pixel cellular modem implementation
  • Ability to reliably force the target onto the malicious radio path
Where this breaks in practice:
  • No public PoC or weaponized repo found
  • OEM/baseband parser behavior is under-documented and firmware-specific
  • Malformed traffic may just crash the component instead of producing controlled corruption
Detection/coverage: Little preventive coverage from EDR/MDM here. Crash artifacts and radio stack instability are the most realistic clues.
STEP 03

Turn the OOB write into modem-side code execution or privilege gain

An out-of-bounds write is exploitable in principle, but exploit reliability against modern firmware is not automatic. The attacker has to convert memory corruption into useful control in the modem environment while surviving mitigations and firmware variance.
Conditions required:
  • Reliable primitive beyond a one-off crash
  • Knowledge of target firmware layout and mitigations
  • A device/firmware combination where exploitation is stable enough to operationalize
Where this breaks in practice:
  • Memory-corruption hardening and firmware diversity reduce reliability
  • No public evidence of repeatable exploitation against production Pixel fleets
  • A crash-only outcome lowers real attacker value
Detection/coverage: Possible signs include repeated baseband crashes, radio restarts, or unexplained loss of cellular service, but attribution is hard.
STEP 04

Pivot from modem compromise to meaningful handset impact

Even with success in the modem path, the practical enterprise outcome depends on what the attacker can do next. The CVE text claims remote elevation of privilege, but the official Pixel bulletin classifies it as a High EoP in Cellular Modem, which suggests the worst-case generic scoring may compress distinct stages that are harder in the field than the 9.8 implies.
Conditions required:
  • Successful post-corruption control in the modem context
  • A viable path to surveillance, persistence, device destabilization, or broader handset impact
  • No intervening firmware separation or device-specific containment that blocks the pivot
Where this breaks in practice:
  • Public evidence of a full end-to-end chain is absent
  • Blast radius is limited to the handset, not an enterprise server tier
  • Fleet-wide exploitation at scale is far harder than exploiting an internet-facing service
Detection/coverage: Mobile threat defense has limited visibility into baseband internals. Device update state remains the best practical control signal.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo current evidence of active exploitation found in Google's March 2026 bulletins, and CISA KEV does not list CVE-2026-0111.
Proof-of-concept availabilityNo public PoC or weaponized GitHub repo was found during review. A realistic attacker would likely need bespoke radio tooling rather than a copy-paste exploit.
EPSSUser-supplied EPSS is 0.00238 (~0.238%), which is low and consistent with a niche, hard-to-weaponize path rather than a mass-exploitation candidate.
KEV statusNot KEV-listed as of this assessment; no CISA due date exists.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H assumes generic network reachability, but the practical network here is the cellular modem path, not an internet-facing TCP service.
Official vendor positioningGoogle's Pixel Update Bulletin—March 2026 lists CVE-2026-0111 as EoP / High / Cellular Modem, which is materially narrower than a blanket Android critical interpretation.
Affected rangeExact firmware matrix is not publicly enumerated. Practical exposure is unpatched Pixel devices carrying the affected cellular modem component before the March 2026 security update level.
Fixed versionTreat Pixel security patch level 2026-03-05 or later as the remediation floor; OEM backports outside the Pixel ecosystem are not publicly mapped here.
Scanning and exposure dataThere is no meaningful Shodan/Censys/FOFA surface for this flaw because the vulnerable parser sits in the device cellular stack, not behind an internet-visible service banner.
Disclosure and sourceThe CVE was publicly disclosed on 2026-03-10; the authoritative vendor references are Google's Android Security Bulletin—March 2026 and Pixel Update Bulletin—March 2026.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (7.1/10)

The decisive factor is attacker position requirement: this is a cellular-modem path bug, not a commodity internet-facing service flaw. That specialized reachability sharply reduces the exposed population, but the bug still deserves a HIGH because it is pre-auth, no-click memory corruption in a sensitive device component with weak preventive visibility once an attacker gets onto the radio path.

HIGH Official vendor scope is narrower than the user-supplied 9.8 and centers on Pixel Cellular Modem
MEDIUM Real-world exploitability is constrained by attacker radio positioning and lack of public PoC
LOW Exact affected modem firmware/version matrix outside public Pixel bulletin detail

Why this verdict

  • Attacker position knocks this down: 'AV:N' is technically true in a broad sense, but in practice the attacker needs rogue base-station proximity, SDR infrastructure, or telecom-path access rather than normal internet reachability.
  • Population is narrower than the headline implies: Google's Pixel bulletin classifies this as a High EoP in Cellular Modem, not a universal Android framework/server issue.
  • Threat intel is quiet: no KEV listing, low EPSS, and no public PoC materially reduce urgency versus a widely exploited internet-facing 9.8.

Why not higher?

I am not calling this CRITICAL because the exploit chain starts with a specialized radio-path prerequisite that most enterprise attackers do not possess at scale. The lack of public exploitation evidence and the absence of a public end-to-end chain keep this out of the 'drop everything' bucket for a 10,000-device fleet.

Why not lower?

I am not dropping this to MEDIUM because the underlying primitive is still pre-auth, no-click memory corruption in a cellular modem path. If you do have a materially exposed Pixel fleet, especially executives or travel-heavy staff, the impact of a successful exploit is serious and preventive visibility is poor.

05 · Compensating Control

What to do — in priority order.

  1. Enforce a minimum security patch level — Use MDM to require Android security patch level 2026-03-05 or later on Pixel devices and block stale devices from sensitive access. For a HIGH verdict, deploy this control within 30 days if patch rollout is lagging.
  2. Disable legacy cellular exposure where supported — Disable 2G fallback and other legacy radio modes through carrier/MDM policy where the platform and region allow it, because rogue-base-station attacks get easier as the radio stack gets older and weaker. Treat this as a risk-reduction step to deploy within 30 days.
  3. Quarantine unpatched high-risk users — Prioritize executives, traveling staff, journalists, legal, and administrators who carry Pixel handsets and spend time in uncontrolled radio environments. If they cannot be patched promptly, remove them from high-trust mobile access paths within 30 days.
  4. Watch for telephony instability — Collect and review crash telemetry, modem resets, and anomalous cellular-service failures from your mobile fleet or carrier/mobile-threat-defense stack. This will not stop exploitation, but it helps identify suspicious activity while you complete remediation within 30 days.
What doesn't work
  • Google Play Protect does not mitigate a baseband/parser bug delivered over the radio path; it scans apps, not malformed cellular frames.
  • Web proxies, WAFs, and email gateways are irrelevant because the exploit path is not HTTP, email, or browser content.
  • MFA helps protect downstream accounts, but it does not prevent exploitation of the handset's cellular modem.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation that has Android platform-tools/adb installed and can query a managed device over USB or approved remote debugging. Invoke it as python3 check_cve_2026_0111.py --serial ABC123456 or without --serial for the only attached device; no root is required, but the device must be reachable by adb.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
"""
check_cve_2026_0111.py

Checks whether an attached Android device is likely exposed to CVE-2026-0111
based on vendor scope and security patch level.

Logic:
- If the device is not Google/Pixel -> UNKNOWN (official public scope here is Pixel Cellular Modem)
- If Android security patch level >= 2026-03-05 -> PATCHED
- If Android security patch level < 2026-03-05 -> VULNERABLE
- If required properties cannot be read -> UNKNOWN

Exit codes:
0 = PATCHED
1 = VULNERABLE
2 = UNKNOWN / error
"""

import argparse
import datetime as dt
import subprocess
import sys

PATCH_FLOOR = dt.date(2026, 3, 5)


def run_adb(args, serial=None):
    cmd = ["adb"]
    if serial:
        cmd += ["-s", serial]
    cmd += args
    try:
        res = subprocess.run(cmd, capture_output=True, text=True, timeout=20)
    except FileNotFoundError:
        print("UNKNOWN - adb not found in PATH")
        sys.exit(2)
    except subprocess.TimeoutExpired:
        print("UNKNOWN - adb command timed out")
        sys.exit(2)

    if res.returncode != 0:
        stderr = (res.stderr or "").strip()
        print(f"UNKNOWN - adb failed: {stderr or 'unknown error'}")
        sys.exit(2)
    return (res.stdout or "").strip()


def getprop(prop, serial=None):
    return run_adb(["shell", "getprop", prop], serial=serial).strip()


def parse_date(value):
    try:
        return dt.datetime.strptime(value, "%Y-%m-%d").date()
    except Exception:
        return None


def main():
    parser = argparse.ArgumentParser(description="Check likely exposure to CVE-2026-0111 on a connected Android device")
    parser.add_argument("--serial", help="ADB device serial", default=None)
    args = parser.parse_args()

    # Basic connectivity check
    state = run_adb(["get-state"], serial=args.serial)
    if state.strip() != "device":
        print(f"UNKNOWN - adb state is '{state.strip()}', not 'device'")
        sys.exit(2)

    manufacturer = getprop("ro.product.manufacturer", serial=args.serial)
    brand = getprop("ro.product.brand", serial=args.serial)
    model = getprop("ro.product.model", serial=args.serial)
    device = getprop("ro.product.device", serial=args.serial)
    patch = getprop("ro.build.version.security_patch", serial=args.serial)

    patch_date = parse_date(patch)
    vendor_text = " ".join([manufacturer, brand, model, device]).lower()
    is_google_pixel = ("google" in vendor_text) or ("pixel" in vendor_text)

    if not patch or patch_date is None:
        print(f"UNKNOWN - could not parse security patch level (value: '{patch}') for {manufacturer} {model}")
        sys.exit(2)

    if not is_google_pixel:
        print(f"UNKNOWN - device is '{manufacturer} {model}' with patch level {patch}; public authoritative scope reviewed here is Pixel Cellular Modem")
        sys.exit(2)

    if patch_date >= PATCH_FLOOR:
        print(f"PATCHED - {manufacturer} {model} security patch level {patch} meets or exceeds {PATCH_FLOOR.isoformat()}")
        sys.exit(0)
    else:
        print(f"VULNERABLE - {manufacturer} {model} security patch level {patch} is older than {PATCH_FLOOR.isoformat()}")
        sys.exit(1)


if __name__ == "__main__":
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a Pixel cellular fleet problem, not a generic internet-wide Android 9.8 fire drill: identify every managed Pixel that is still below 2026-03-05 SPL, block stale devices from sensitive mobile access, and apply those compensating controls within the noisgate mitigation SLA of 30 days. Then finish vendor patch rollout to all affected Pixels within the noisgate remediation SLA of 180 days; if you have high-risk travelers or executive devices, move them to the front of the queue instead of waiting for broad fleet cadence.

Sources

  1. Android Security Bulletin—March 2026
  2. Pixel Update Bulletin—March 2026
  3. CVE Record
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS
  6. Check & update your Android version
  7. Google Play Protect on-device protections
  8. srsRAN Project documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.