CVE-2026-0114 · In Modem, there is a possible out of bounds write due to an incorrect bounds check.

01 · The Real Story

This is a sniper rifle hidden inside the phone radio, not a worm chewing through your perimeter

CVE-2026-0114 is a Pixel modem out-of-bounds write that Google classifies as RCE. The vendor description says exploitation needs no privileges and no user interaction, but the affected population is supported Google Pixel devices that had security patch level earlier than 2026-03-05; this is not a general Android server-side bug and the fix ships in Pixel's March 2026 security update.

The vendor's 9.8/CRITICAL score reflects the technical impact if the modem path is reached, not the real enterprise exposure. In practice this sits behind a cellular/baseband attack surface, often requiring a stronger attacker position, specialized telecom exploitation capability, or rogue network conditions rather than ordinary internet reachability. That makes the raw CVSS too hot for patch-priority decisions, even though the underlying bug class is serious.

"Technically nasty, but this is a narrow Pixel baseband problem—not a 9.8 patch-everything fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the Pixel modem attack surface

The attacker needs a delivery path into the vulnerable Pixel modem/baseband stack rather than a normal app or web service. In real life that usually means a cellular-network path, rogue base-station scenario, or other radio-protocol trigger, not just an internet socket. Weaponization would likely rely on custom SDR / RAN tooling rather than commodity exploit kits.

Conditions required:

Target device is a supported Google Pixel on patch level earlier than 2026-03-05
Attacker can interact with the device's cellular/baseband path
Victim radio conditions permit the relevant network negotiation or malformed traffic path

Where this breaks in practice:

This is not a routable enterprise service and is invisible to normal perimeter scanning
Baseband attack delivery is a specialist capability; most criminal crews do not operate here
Carrier behavior, radio environment, and device state all narrow exploit reliability

Detection/coverage: Traditional vuln scanners do not test this path. Your best coverage is MDM/asset inventory for Pixel models and security patch level, plus telecom anomaly monitoring where available.

STEP 02

Drive the malformed input into the bounds-check bug

The vulnerability is an incorrect bounds check leading to an out-of-bounds write in the modem. To turn that into reliable code execution, an attacker must shape protocol state and memory conditions precisely—something normally done with bespoke fuzzing outputs or internal protocol knowledge, not a copy-paste PoC.

Conditions required:

The attacker can send the specific malformed modem input
The modem firmware build matches a vulnerable Pixel release
Exploit reliability is sufficient on the targeted chipset/firmware combination

Where this breaks in practice:

No public PoC or exploit repo was found for the CVE or Google bug ID
The bug is in a non-public binary driver/firmware path, so reverse engineering cost is higher
Cross-model and cross-carrier reliability is likely uneven

Detection/coverage: You may only see indirect symptoms such as modem crashes, radio resets, or device instability. EDR visibility into baseband execution is minimal.

STEP 03

Escape from memory corruption to modem RCE

An out-of-bounds write gives the attacker a corruption primitive, but converting that into stable modem code execution still requires exploit engineering around the target firmware's layout and mitigations. This is where the difference between a lab crash and an operational exploit usually shows up.

Conditions required:

A controllable corruption primitive is obtained
Attacker can bypass or work around modem-firmware mitigations
Target hardware/firmware pairing behaves predictably enough for exploitation

Where this breaks in practice:

High exploit-development cost
Likely fragile across baseband revisions and carrier-customized firmware
No public evidence yet that broad criminal exploitation has crossed this hurdle

Detection/coverage: Operationally, there is almost no direct defender telemetry here. Detection is mostly post-facto via patch-state reporting and incident-response artifacts on the handset.

STEP 04

Translate modem compromise into device impact

If exploitation succeeds, the attacker can potentially pivot from radio compromise into device surveillance, persistence, or further privilege abuse, depending on containment between the baseband and application processor. That's why the vendor calls it critical in a vacuum.

Conditions required:

Successful code execution in the modem context
Useful post-exploitation path from modem control to attacker objectives
Target device carries sensitive user, identity, or MFA material

Where this breaks in practice:

Blast radius is mostly per-device, not a one-shot enterprise-wide compromise
Follow-on impact depends on the handset's security boundaries and attacker tradecraft
Even successful compromise does not directly translate into domain-wide compromise

Detection/coverage: Look for downstream symptoms in mobile threat defense, anomalous SIM/network behavior, and user-reported radio instability; there is no strong signature-based scanner story.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	As of this assessment, no public active-exploitation evidence was found, and the CVE is not listed in CISA KEV.
Public exploit / PoC	No public PoC located for `CVE-2026-0114` or Google bug `A-454604426`; that materially lowers mass-exploitation risk.
EPSS	Supplied EPSS is 0.00238 (~0.238% 30-day exploitation probability). Percentile was not provided in the upstream intel and was not directly verified from the FIRST API in this run.
KEV status	Not KEV-listed in the CISA Known Exploited Vulnerabilities Catalog at time of review.
CVSS vector reality check	`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` describes worst-case technical impact, but `AV:N` is misleading for enterprise prioritization here because the reachable surface is a modem/baseband path, not a conventional internet-facing service.
Affected population	Affected scope is supported Google Pixel devices carrying a security patch level before `2026-03-05`. This is Pixel-specific bulletin material, not a broad Android estate bug.
Fixed version	Google states that security patch level `2026-03-05` or later addresses the issue on supported Pixel devices.
Exposure and scanning signal	There is no meaningful Shodan/Censys/FOFA/GreyNoise-style internet census signal for this component because the vulnerable surface lives in the phone modem, not a directly fingerprintable public service.
Disclosure date	Publicly disclosed 2026-03-10 via Google/NVD records tied to the March 2026 Pixel bulletin.
Researcher / reporting org	Public attribution is limited; the CVE record source is Google Devices and the public reference is the Pixel Update Bulletin—March 2026.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (7.1/10)

The decisive factor is attacker reachability: this is a Pixel modem/baseband flaw, not a commodity internet-facing service, so the population that can actually exploit it at scale is much smaller than the CVSS suggests. It stays HIGH because successful no-click modem RCE on a managed handset is still a serious compromise of identity-bearing corporate endpoints.

HIGH Vendor metadata, disclosure date, CVSS vector, and fixed patch level

MEDIUM Real-world exploitability downgrade based on attack-path friction

LOW Exact exploit prerequisites inside the non-public modem implementation

Why this verdict

Downgrade for attacker position: vendor CVSS treats this like broad network reachability, but the real path is cellular/baseband access, which sharply narrows who can hit it and how.
Downgrade for exposure population: this is supported Pixel only and fixed by 2026-03-05 SPL; it is not a generic Android or enterprise server issue.
Downgrade for threat evidence: no KEV, no public exploitation evidence, no public PoC, and a very low EPSS (0.00238) all argue against emergency-at-scale behavior.
Keep it high, not medium: if an actor can reach the bug, it is a no-user-interaction RCE in a handset component that can carry MFA, corp email, VPN certs, and executive comms.

Why not higher?

There is no public sign of broad exploitation, no public exploit chain, and no evidence this is being mass-scanned or weaponized by commodity operators. The attack surface is also not directly internet-addressable in the way a pre-auth VPN, firewall, or web console bug would be.

Why not lower?

This is still remote, no-click memory corruption with RCE potential on a managed endpoint class that matters for executives, admins, and travel staff. If your fleet includes Pixels, the consequence of a capable attacker landing this is real enough that it should not be relegated to pure backlog hygiene.

05 · Compensating Control

What to do — in priority order.

Force Pixel patch compliance — Use Android Enterprise / MDM to identify all managed Pixel devices and require security patch level 2026-03-05 or later. For a HIGH verdict, deploy this control within 30 days if you cannot immediately confirm full patch coverage.
Disable 2G where the business can tolerate it — Google explicitly documents that 2G downgrade paths enable false-base-station risk; disabling 2G removes one common lower-trust cellular path. Apply this to managed Pixels, especially high-risk users, within 30 days where roaming and coverage requirements allow.
Enable mobile network security features — On Android 16-capable devices, turn on the Mobile network security notifications so users and admins get visibility into unencrypted network use and frequent identifier disclosure. This is an exposure-reduction and detection aid to deploy within 30 days.
Quarantine unsupported legacy Pixels from sensitive access — Older devices outside Google's security-support window should not hold high-value corporate identities if you cannot bring them to a fixed build. Move them out of privileged app access and certificate-backed auth flows within 30 days.

What doesn't work

A WAF does nothing here because the vulnerable surface is not HTTP.
Perimeter IDS signatures are weak coverage because the delivery path is modem/radio traffic, not a standard enterprise ingress point.
Server-side EDR is irrelevant, and even mobile EDR has limited visibility inside the baseband itself.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed and a managed Pixel connected over USB debugging or approved ADB transport. Invoke it as ./check-cve-2026-0114.sh <device-serial>; no root is required, but you do need ADB access to query device properties.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-0114.sh
# Determine whether a connected Google Pixel is vulnerable to CVE-2026-0114
# based on manufacturer/model and Android security patch level.
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / ERROR

set -euo pipefail

REQUIRED_SPL="2026-03-05"
SERIAL="${1:-}"

if ! command -v adb >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

ADB=(adb)
if [[ -n "$SERIAL" ]]; then
  ADB+=( -s "$SERIAL" )
fi

if ! "${ADB[@]}" get-state >/dev/null 2>&1; then
  echo "UNKNOWN: device not reachable via adb"
  exit 2
fi

getprop() {
  "${ADB[@]}" shell getprop "$1" 2>/dev/null | tr -d '\r'
}

MANUFACTURER="$(getprop ro.product.manufacturer | xargs)"
BRAND="$(getprop ro.product.brand | xargs)"
MODEL="$(getprop ro.product.model | xargs)"
DEVICE="$(getprop ro.product.device | xargs)"
SPL="$(getprop ro.build.version.security_patch | xargs)"

if [[ -z "$MODEL" || -z "$SPL" ]]; then
  echo "UNKNOWN: could not read required properties"
  exit 2
fi

# Best-effort Pixel identification
IS_GOOGLE=0
if [[ "$MANUFACTURER" =~ [Gg]oogle ]] || [[ "$BRAND" =~ [Gg]oogle ]] || [[ "$MODEL" =~ Pixel ]] || [[ "$DEVICE" =~ ^(oriole|raven|bluejay|panther|cheetah|felix|lynx|husky|shiba|akita|comet|tokay|caiman|komodo) ]]; then
  IS_GOOGLE=1
fi

if [[ "$IS_GOOGLE" -ne 1 ]]; then
  echo "UNKNOWN: device does not appear to be a supported Google Pixel"
  echo "MODEL=$MODEL MANUFACTURER=$MANUFACTURER BRAND=$BRAND DEVICE=$DEVICE SPL=$SPL"
  exit 2
fi

# Basic date validation
if [[ ! "$SPL" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]]; then
  echo "UNKNOWN: unexpected security patch level format: $SPL"
  exit 2
fi

# Lexicographic compare works for YYYY-MM-DD
if [[ "$SPL" < "$REQUIRED_SPL" ]]; then
  echo "VULNERABLE: $MODEL SPL=$SPL is earlier than required $REQUIRED_SPL"
  exit 1
else
  echo "PATCHED: $MODEL SPL=$SPL meets or exceeds $REQUIRED_SPL"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull a fleet list of all managed Google Pixel devices and separate anything below security patch level 2026-03-05. For this HIGH reassessment, the noisgate mitigation SLA is within 30 days: enforce patch compliance, disable 2G where feasible, and enable Android mobile-network security controls for high-risk users. The noisgate remediation SLA is within 180 days, but in practice you should finish Pixel patch rollout well before that because there is no good network-layer detection or shielding story once a handset stays exposed.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.