← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0118 · CWE-693 · Disclosed 2026-03-10

In oobconfig

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is more like slipping past a SIM lock than kicking down the front door

CVE-2026-0118 is a logic error in oobconfig on Google Pixel devices that can bypass carrier restrictions. Google and OSV tie the fix to the March 2026 Pixel patch train, with the vulnerable window effectively being Pixel-family builds before security patch level 2026-03-05; Android’s broader March 2026 bulletin also references the issue, but the Pixel bulletin is the cleaner scoping signal for defenders.

The vendor's HIGH/8.4 baseline makes sense inside Android's own rating model, which explicitly scores impact assuming platform mitigations are absent or bypassed. In real enterprise operations, though, this is a *local*, post-delivery issue on a *device-specific* component with no evidence of mass exploitation, no public exploit chain, and a constrained business impact centered on carrier-policy bypass rather than broad tenant compromise or server-side takeover.

"High on paper, but this is a local Pixel-side policy bypass with narrow enterprise blast radius"
02 · The Attack Path

3 steps from start to impact.

STEP 01

Land code execution on the handset

The attacker first needs code running on the target Pixel, typically via a malicious APK, sideloaded app, developer tooling, or an already-compromised local app context. There is no remote network attack surface in the CVSS vector; AV:L means this only starts *after* code is already on the device.
Conditions required:
  • Target is a Google Pixel device
  • Device patch level is earlier than 2026-03-05
  • Attacker can execute code locally as an unprivileged app or equivalent local context
Where this breaks in practice:
  • Requires a prior compromise stage or unsafe app installation path
  • Modern managed Android fleets often restrict sideloading and unknown sources
  • Play Protect, MTD agents, and app allowlisting reduce reachable population
Detection/coverage: MDM/EMM can identify vulnerable Pixel patch levels reliably; exploitation itself is unlikely to be caught by network scanners because the bug is local-only.
STEP 02

Trigger the oobconfig logic flaw

A local exploit harness would interact with the affected oobconfig code path and abuse the logic error that enforces carrier restrictions. Practically, this looks less like memory corruption weaponization and more like driving a bad state transition or trust decision in policy handling.
Conditions required:
  • Local app/process can reach the relevant oobconfig pathway
  • Carrier restriction enforcement is present and meaningful on that device
Where this breaks in practice:
  • No public PoC was located, which raises attacker development cost
  • The bug lives in a niche functional path, not a broad always-on parser or network daemon
  • Many enterprise phones are already carrier-unlocked or unaffected by this policy state
Detection/coverage: No strong commodity scanner coverage for the flaw mechanics; detection is mostly indirect through app telemetry, unusual telephony state changes, or forensic review.
STEP 03

Bypass carrier policy controls

Successful exploitation bypasses carrier restrictions on the device. That can translate into unauthorized use of network/carrier functionality or policy circumvention on that handset, but it does not by itself imply domain takeover, broad data center compromise, or wormable spread.
Conditions required:
  • Device relies on carrier restriction enforcement for security or business policy
  • Attacker objective benefits from bypassing that control on a single handset
Where this breaks in practice:
  • Blast radius is usually one device at a time
  • Enterprise impact depends heavily on whether carrier locking matters in your fleet
  • No evidence of automated internet-scale exploitation
Detection/coverage: Look for anomalous SIM/carrier state transitions, inventory drift, or devices whose patch level predates 2026-03-05.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative evidence found for active exploitation. CISA ADP SSVC data exposed via OpenCVE shows Exploitation: none.
KEV statusNot listed in CISA KEV as of this assessment.
PoC availabilityNo credible public PoC or exploit repo located from primary accessible sources; that is real friction for opportunistic abuse.
EPSSNo directly retrievable FIRST EPSS score for CVE-2026-0118 was located from accessible primary sources during this assessment; treat EPSS as unavailable/undetermined, not zero.
CVSS vectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — that says local only, easy to trigger, no privileges, no user interaction, but still assumes severe device impact once code is already running.
Affected scopeGoogle identifies the issue in Pixel March 2026 advisories under subcomponent oobconfig; OSV maps the affected range to Pixel-family specific builds before the March 2026 fix.
Fixed versionPatched in the Pixel March 2026 security release; OSV and Google indicate security patch level 2026-03-05 as the fix point.
Scanning/exposure dataInternet exposure data from Shodan/Censys/FOFA is largely irrelevant here because this is not a remotely reachable network service. External attack surface scanners will miss exploitability and are only useful for asset inventory correlation.
Disclosure date2026-03-10 per the supplied intel; Google bulletins were published in March 2026 and updated afterward.
Reporting / trackingTracked by Google as Android bug A-427469428, published in Pixel and Android security bulletins, and mirrored in OSV/OpenCVE.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (4.4/10)

The decisive downgrading factor is attacker position: this starts at local code execution on a Pixel handset, which already implies a prior compromise or unsafe app-install path. From there, the business impact is usually a device-scoped carrier-policy bypass, not a broad enterprise compromise primitive.

HIGH Exploitability requires local attacker position
MEDIUM Impact is narrower than the vendor CVSS implies for most enterprise fleets
MEDIUM Affected population is largely limited to Pixel devices before `2026-03-05`

Why this verdict

  • Down from 8.4 because it is AV:L: an attacker must already have code execution on the device, which is post-initial-access and a major real-world severity suppressor.
  • Down again because the exposed population is narrow: this is tied to Pixel oobconfig, not a generic enterprise server, browser, or email gateway surface spread across your whole estate.
  • Down again because the blast radius is usually one handset: bypassing carrier restrictions matters, but it is not the same operationally as remote code execution on a management plane or identity system.
  • No upgrade pressure from threat intel: no KEV listing, no active exploitation evidence, and no public PoC located from accessible primary sources.
  • Vendor score overstates enterprise urgency because Android's own severity guidance explicitly assumes mitigations are absent or bypassed; fleet defenders should not treat that as identical to real-world exploit prevalence.

Why not higher?

This is not remotely reachable, not wormable, and not sitting on a shared enterprise control plane. The first prerequisite alone — local code execution on the target handset — sharply limits both attacker population and fleet-wide urgency, and there is no current exploitation evidence to offset that friction.

Why not lower?

It still removes a protection mechanism with no privileges and no user interaction once local code is in place. On a managed mobile fleet, unprivileged app-level abuse against unpatched Pixels is credible enough that this should not be waved off as pure backlog noise.

05 · Compensating Control

What to do — in priority order.

  1. Scope vulnerable Pixels — Use MDM/EMM inventory to identify Google Pixel devices with security patch levels earlier than 2026-03-05. For a MEDIUM verdict there is no mitigation SLA, but scoping should happen early so you can place the affected subset into the remediation queue within the 365-day window.
  2. Restrict sideloading — Enforce Play-only installs, unknown-sources restrictions, and app allowlisting on corporate Android devices. This directly attacks the biggest prerequisite — local unprivileged code execution — and is the best compensating control while remediation is scheduled; for MEDIUM, there is no mitigation SLA, so apply as standard hardening rather than emergency change.
  3. Enforce Play Protect and MTD — Keep Google Play Protect enabled and ensure any mobile threat defense agent remains healthy on managed Pixels. These controls won't fix the logic bug, but they reduce the probability that a malicious APK ever reaches the exploitation stage before the patch is deployed within the 365-day remediation window.
  4. Prioritize carrier-sensitive populations — If you manage carrier-locked field devices, subsidized handsets, or regulated mobile populations where SIM/carrier policy matters, move those users to the front of the patch queue. Their business impact is higher even though the CVE remains only MEDIUM overall.
What doesn't work
  • Perimeter network scanning doesn't help, because this vulnerability is local-only and not exposed as an internet-facing service.
  • A WAF or email gateway doesn't meaningfully mitigate the flaw itself; the relevant control point is preventing malicious app execution on-device.
  • Generic vulnerability scanning of public IP space will not tell you exploitability here; you need mobile asset inventory and patch telemetry.
06 · Verification

Crowdsourced verification payload.

Run this on the target Android/Pixel device via adb shell sh /data/local/tmp/check-cve-2026-0118.sh after pushing it with adb push check-cve-2026-0118.sh /data/local/tmp/. It needs only standard shell access; root is not required. The script classifies Pixel devices with security patch levels earlier than 2026-03-05 as VULNERABLE, patch levels on or after that date as PATCHED, and non-Pixel/ambiguous cases as UNKNOWN.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/system/bin/sh
# check-cve-2026-0118.sh
# Purpose: Assess likely exposure to CVE-2026-0118 on Android/Pixel devices.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

PATCH_CUTOFF="2026-03-05"

getprop_safe() {
  /system/bin/getprop "$1" 2>/dev/null | tr -d '\r'
}

normalize_date() {
  # Convert YYYY-MM-DD to integer YYYYMMDD for comparison.
  echo "$1" | tr -d '-'
}

MANUFACTURER="$(getprop_safe ro.product.manufacturer)"
BRAND="$(getprop_safe ro.product.brand)"
MODEL="$(getprop_safe ro.product.model)"
DEVICE="$(getprop_safe ro.product.device)"
PATCH_LEVEL="$(getprop_safe ro.build.version.security_patch)"
FINGERPRINT="$(getprop_safe ro.build.fingerprint)"

IS_PIXEL=0
case "$(echo "$MANUFACTURER $BRAND $MODEL $DEVICE $FINGERPRINT" | tr '[:upper:]' '[:lower:]')" in
  *google*|*pixel*) IS_PIXEL=1 ;;
esac

if [ -z "$PATCH_LEVEL" ]; then
  echo "UNKNOWN: unable to read ro.build.version.security_patch"
  exit 2
fi

# Basic date format validation.
echo "$PATCH_LEVEL" | grep -Eq '^[0-9]{4}-[0-9]{2}-[0-9]{2}$'
if [ $? -ne 0 ]; then
  echo "UNKNOWN: patch level format not recognized: $PATCH_LEVEL"
  exit 2
fi

PATCH_INT="$(normalize_date "$PATCH_LEVEL")"
CUTOFF_INT="$(normalize_date "$PATCH_CUTOFF")"

if [ "$IS_PIXEL" -ne 1 ]; then
  echo "UNKNOWN: device does not clearly identify as Google Pixel"
  echo "manufacturer=$MANUFACTURER brand=$BRAND model=$MODEL device=$DEVICE patch_level=$PATCH_LEVEL"
  exit 2
fi

if [ "$PATCH_INT" -lt "$CUTOFF_INT" ]; then
  echo "VULNERABLE: Google Pixel with security patch level $PATCH_LEVEL (< $PATCH_CUTOFF)"
  echo "manufacturer=$MANUFACTURER brand=$BRAND model=$MODEL device=$DEVICE"
  exit 1
fi

if [ "$PATCH_INT" -ge "$CUTOFF_INT" ]; then
  echo "PATCHED: Google Pixel with security patch level $PATCH_LEVEL (>= $PATCH_CUTOFF)"
  echo "manufacturer=$MANUFACTURER brand=$BRAND model=$MODEL device=$DEVICE"
  exit 0
fi

echo "UNKNOWN: unable to determine exposure"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull an MDM report for all Google Pixel devices and filter for security patch levels earlier than 2026-03-05; that is your actionable population. Because this reassesses to MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window for the actual patch, but carrier-sensitive or field-device populations should be patched first; the noisgate remediation SLA is ≤365 days, and there is no separate emergency compensating-control deadline unless your own mobile risk posture says carrier-lock bypass is business-critical.

Sources

  1. Android Security Bulletin — March 2026
  2. Pixel Update Bulletin — March 2026
  3. Android severity guidance
  4. OSV record PUB-A-427469428 / CVE-2026-0118
  5. OpenCVE record for CVE-2026-0118
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS overview
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.