CVE-2026-0120 · In modem, there is a possible out of bounds write due to an incorrect bounds check.

01 · The Real Story

This is a radio-side landmine, not an internet-wide wormhole

CVE-2026-0120 is an out-of-bounds write in the Android modem/baseband path that can plausibly yield remote code execution during modem traffic handling. Google disclosed it on 2026-03-10, and Android/Pixel bulletins say devices at security patch level 2026-03-05 or later address the March 2026 issues. In practice, the affected population is best described as Android devices still below the March 2026 patch level, with Google Pixel specifically calling out this CVE in its March 2026 device bulletin.

The vendor's 9.8 CRITICAL score reflects the *technical* worst case: no auth, no clicks, potential code exec in a network-reachable component. Reality is harsher on attackers. This is not a clean internet-service RCE on port 443; it is a modem-path bug that likely requires radio-path reachability, specialized exploit development, and often an additional pivot out of the baseband to create the kind of enterprise impact security teams care about. That keeps it urgent, but not top-shelf emergency-for-everyone critical.

"Serious baseband RCE, but real-world reach and enterprise blast radius are narrower than a 9.8 suggests."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get radio-path reachability

The attacker needs to deliver malformed traffic into the vulnerable modem handling path using a rogue base station / SDR toolchain or another telecom-path position. This is *not* the same as reaching a web app from the public internet; the reachable surface is the cellular/baseband stack exposed to radio or operator-controlled traffic.

Conditions required:

Target device is an affected Android handset below security patch level 2026-03-05
Cellular modem is enabled and attached or attachable to a reachable network
Attacker has RF proximity, rogue infrastructure, or privileged telecom-path access

Where this breaks in practice:

Requires attacker position in the radio path, not just internet access
Rogue base-station operations are noisy, specialized, and jurisdictionally risky
Many enterprise users are not persistently exposed to attacker-controlled cellular conditions

Detection/coverage: Traditional vuln scanners, EASM, Shodan, Censys, and most ASM tooling have near-zero visibility into this prerequisite because the attack surface is the modem/radio path, not an indexable TCP service.

STEP 02

Trigger the bounds bug in modem parsing

The attacker sends crafted modem-facing input intended to hit the incorrect bounds check and force an out-of-bounds write. Public sources confirm the class and impact, but I found no authoritative public exploit or step-by-step trigger details, which means exploit development still appears non-trivial and domain-specific.

Conditions required:

Precise knowledge of the vulnerable modem message path
Payloads that reach the exact parser state
Device/chipset/firmware combination matching the bugged implementation

Where this breaks in practice:

No verified public PoC found in this review
Baseband exploit development is materially harder than HTTP request fuzzing
OEM/carrier firmware variation reduces one-size-fits-all reliability

Detection/coverage: Endpoint security on Android usually cannot inspect malformed baseband traffic directly. At best, defenders may see crash telemetry, radio instability, or OEM diagnostics after the fact.

STEP 03

Land code execution in the modem/baseband domain

If exploitation succeeds, the immediate win is code execution in the modem processing environment. That is serious, but the enterprise question is whether the attacker can turn baseband control into durable device compromise, credential theft, or managed-app access on the application processor.

Conditions required:

Successful memory corruption with stable control of execution
Chipset and mitigations do not prevent reliable code reuse or corruption outcomes

Where this breaks in practice:

Modern mitigations can turn a memory-safety bug into a crash instead of clean RCE
Modem/baseband execution is not automatically equivalent to Android OS or work-profile compromise

Detection/coverage: EDR/MDR coverage is weak inside baseband domains. Detection is mostly indirect through device instability, OEM telemetry, or anomalous cellular behavior.

STEP 04

Pivot to enterprise-relevant impact

To become a true fleet crisis, the attacker usually needs a second step: persistence, application-processor escape, surveillance capability, or access to corp data on the handset. Without that, the practical blast radius is narrower than CVSS implies, especially in enterprises that use managed work profiles, conditional access, and app isolation.

Conditions required:

A follow-on path from modem compromise to userland, kernel, or sensitive enterprise data
Enterprise workflows that trust the device enough for meaningful downstream access

Where this breaks in practice:

Additional chaining may be required for the worst-case business impact
UEM compliance gates and app-level zero trust can limit post-compromise value
Some fleets have small Android/Pixel populations relative to Windows/macOS estates

Detection/coverage: This stage is where UEM, identity telemetry, mobile threat defense, and abnormal access analytics may finally surface suspicious behavior.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No verified active exploitation found in authoritative sources reviewed. `CISA KEV`: not listed.
Proof-of-concept availability	No authoritative public PoC or weaponized exploit repo identified during this review.
EPSS	`0.00238` (0.238%) from the user-supplied intel; that is low on an absolute basis. FIRST documents EPSS as a 30-day exploitation probability estimate.
KEV status	No; not present in the CISA Known Exploited Vulnerabilities Catalog as reviewed.
CVSS vector reality check	`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` assumes direct network reachability and worst-case impact. For a modem bug, the `AV:N` label is technically plausible but operationally overstates how many enterprise devices an attacker can actually reach and weaponize at scale.
Affected versions	Vendor disclosures do not publish a crisp semver range. Operationally, treat Android/Pixel devices below security patch level `2026-03-05` as exposed to the March 2026 bulletin set that includes this CVE.
Fixed versions	Android security patch level `2026-03-05` or later addresses all issues in the March 2026 Android bulletin; Pixel bulletin says `2026-03-05` or later addresses this bulletin and the March Android bulletin.
Exposure / scanning reality	Internet exposure data from Shodan/Censys/FOFA is largely not applicable. This is a baseband/radio attack surface, so classic edge scanning undercounts risk while also confirming this is not an internet-facing enterprise service bug.
Disclosure date	2026-03-10 in NVD/OpenCVE metadata; Android bulletin published 2026-03-02 and Pixel bulletin published 2026-03-03.
Reporter / discoverer	Public record reviewed does not name an external researcher. CNA is `Google_Devices`; discovery is shown as `UNKNOWN` in OpenCVE's rendered CVE record.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.1/10)

The single biggest downward pressure is attacker position: this is a modem-path bug, so the adversary needs radio-path reachability or equivalent telecom placement rather than commodity internet access. That sharply reduces exposed population and exploit convenience versus a true unauthenticated internet-facing RCE, even though the technical outcome could still be severe on a vulnerable handset.

HIGH Vendor metadata, disclosure dates, CVSS vector, and patched patch-level mapping

MEDIUM Real-world exploitability reduction due to radio-path and chaining assumptions

LOW Exact chipset/OEM breadth because the public advisory does not publish a precise version matrix

Why this verdict

Downgrade for attacker position: vendor 9.8 starts from a worst-case AV:N view, but here network means the modem/radio path, not a universally reachable enterprise internet service.
Downgrade for exposed population: only Android devices missing the March 2026 patch level are in scope, and many enterprise estates have limited Android/Pixel density compared with server and desktop fleets.
Downgrade for exploit friction: no verified public PoC or exploitation evidence was found, and baseband exploit engineering is harder than typical edge-RCE weaponization.
Downgrade for blast-radius conversion: baseband compromise is dangerous, but the worst business impact often requires a second pivot into the application processor, enterprise apps, or identity material.
Keep it HIGH, not MEDIUM: unauthenticated no-click modem RCE remains a serious class of bug, and managed mobile fleets still carry sensitive identities, MFA factors, email, and corp data.

Why not higher?

I do not buy CRITICAL for fleet prioritization because this is not a mass-reachable, internet-exposed service flaw with commodity exploit preconditions. The combination of radio-path reachability, specialized exploit development, and likely need for follow-on chaining cuts the practical enterprise emergency level below the vendor headline score.

Why not lower?

This is still a remote, no-user-interaction memory corruption issue in a high-value component. If you run a sizable Android fleet, especially for executives, travelers, journalists, or high-risk personnel, the surveillance and device-compromise potential is too meaningful to treat as routine backlog.

05 · Compensating Control

What to do — in priority order.

Enforce Android patch compliance — Use UEM/MDM conditional access to block or restrict Android devices below security patch level 2026-03-05. For a HIGH verdict, deploy this within 30 days; it is the cleanest compensating control because the bulletin maps directly to a patch-level check.
Restrict high-risk users to patched devices — Move executives, admins, legal, threat intel, and frequent travelers onto confirmed-patched handsets first. Do this within 30 days because these users have the highest value if a radio-path attack is used for surveillance or credential access.
Reduce trust in mobile posture — Require device-compliance signals for email, SSO, VPN, and SaaS access from Android. Deploy within 30 days so a compromised handset has less downstream value even if the modem bug is exploited.
Prefer managed Wi-Fi where feasible — For especially sensitive users or temporary risk reduction, minimize unnecessary cellular exposure when business operations allow, and disable unused SIM/eSIM profiles. This is not a full fix, but as a HIGH compensating step it is useful when patch uptake lags inside the 30-day window.

What doesn't work

WAF/NGFW controls do not meaningfully help because the vulnerable path is in modem/baseband traffic, not an HTTP application stack.
Routine network vulnerability scanning will miss this class almost completely; there is no stable internet-facing service banner to fingerprint.
MFA alone does not stop exploitation of the handset. It may limit downstream account abuse, but it does not prevent device compromise.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed and at least one Android device connected over USB or approved wireless ADB. Invoke it as python3 check_cve_2026_0120.py --serial <device_serial> or omit --serial for the first attached device; no root is required, but you need ADB access to the handset.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_cve_2026_0120.py
# Verify likely exposure to CVE-2026-0120 by checking Android security patch level.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=ERROR

import argparse
import datetime
import shutil
import subprocess
import sys

PATCH_DATE = datetime.date(2026, 3, 5)


def run(cmd):
    return subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)


def adb_shell(serial, prop):
    base = ["adb"]
    if serial:
        base += ["-s", serial]
    base += ["shell", "getprop", prop]
    r = run(base)
    if r.returncode != 0:
        raise RuntimeError(r.stderr.strip() or f"adb failed for {prop}")
    return r.stdout.strip()


def parse_date(s):
    try:
        parts = s.strip().split("-")
        if len(parts) != 3:
            return None
        y, m, d = map(int, parts)
        return datetime.date(y, m, d)
    except Exception:
        return None


def main():
    ap = argparse.ArgumentParser(description="Check likely exposure to CVE-2026-0120 via Android security patch level")
    ap.add_argument("--serial", help="ADB device serial", default=None)
    args = ap.parse_args()

    if shutil.which("adb") is None:
        print("UNKNOWN - adb not found in PATH")
        sys.exit(2)

    try:
        patch = adb_shell(args.serial, "ro.build.version.security_patch")
        brand = adb_shell(args.serial, "ro.product.brand")
        model = adb_shell(args.serial, "ro.product.model")
        build = adb_shell(args.serial, "ro.build.display.id")
    except Exception as e:
        print(f"UNKNOWN - unable to query device: {e}")
        sys.exit(2)

    if not patch:
        print(f"UNKNOWN - device {brand} {model} did not report a security patch level")
        sys.exit(2)

    patch_date = parse_date(patch)
    if patch_date is None:
        print(f"UNKNOWN - unparseable security patch level '{patch}' on {brand} {model} ({build})")
        sys.exit(2)

    # Operational rule from Android/Pixel March 2026 bulletins:
    # security patch level 2026-03-05 or later addresses the March 2026 issues.
    if patch_date >= PATCH_DATE:
        print(f"PATCHED - {brand} {model} reports security patch level {patch} (build: {build})")
        sys.exit(0)
    else:
        print(f"VULNERABLE - {brand} {model} reports security patch level {patch}, below 2026-03-05 (build: {build})")
        sys.exit(1)


if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        print("UNKNOWN - interrupted")
        sys.exit(2)

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull an inventory of all managed Android devices and sort by security patch level; anything below 2026-03-05 goes into a focused Android remediation campaign, with executives and other high-risk users first. Because this is HIGH, the noisgate mitigation SLA is within 30 days for conditional-access/UEM containment of unpatched devices, and the noisgate remediation SLA is within 180 days for full patching; do not wait for public exploitation before cleaning up lagging Android handsets.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.