← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0122 · CWE-787 · Disclosed 2026-03-10

In multiple places

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a blown tire on a company car, not a sinkhole under your whole datacenter

CVE-2026-0122 is an out-of-bounds write in Google Android memory-handling code that can end in code execution. Public detail is thin: NVD describes it generically, while Google's March 2026 Pixel bulletin places it in the *Baseband* bucket and says devices at security patch level 2026-03-05 or later contain the fix. That means the realistic affected population is not "everything with Android," but the subset of managed Android/Pixel devices that had not yet taken the March 2026 update.

The vendor-style base score of 8.4 captures worst-case impact on a single device, but it overstates enterprise patch urgency. The biggest real-world friction is attacker position: the published CVSS vector is AV:L, which means this is not a broad internet-reachable server bug. Add *no KEV listing*, *very low EPSS*, no public exploit chain, and a narrow mobile-device blast radius, and this belongs in a normal mobile remediation lane rather than the top of a 10,000-host emergency queue.

"Technically nasty, operationally narrow: treat it like a mobile-fleet patch item, not a fleet-wide fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get onto the handset or reach the radio path

There is no evidence of a turnkey public exploit, so an attacker first needs a delivery position. In practice that means either local code execution on the device already, or a specialized path into the vulnerable baseband-facing surface if the Pixel bulletin's classification is the right one. Publicly available lab tooling like adb helps with local footholds; SDR stacks such as srsRAN are relevant only for research-grade radio testing, not commodity enterprise attacks.
Conditions required:
  • Target uses an affected Android/Pixel build prior to the 2026-03-05 security patch level
  • Attacker has a local foothold on the device, or specialized capability to reach the vulnerable radio/baseband path
  • The vulnerable component is actually present on that handset model/carrier build
Where this breaks in practice:
  • The published vector is AV:L, which implies prior code execution or equivalent local reach
  • Baseband delivery is highly specialized and not a common enterprise attack path
  • Carrier/OEM fragmentation narrows the truly affected handset set
Detection/coverage: Standard vuln scanners do poorly here. MDM/UEM can usually identify Android security patch level, but exploit-path visibility is weak, especially if the bug sits in baseband firmware.
STEP 02

Trigger the memory corruption

The attacker then has to exercise the vulnerable code path and convert an out-of-bounds write into reliable corruption. With no public PoC and no detailed root-cause write-up from Google, exploit development burden is non-trivial. This is not the kind of bug most opportunistic actors weaponize on day one.
Conditions required:
  • Precise handset/firmware target knowledge
  • A crafted input that reaches the buggy memory operation
  • Exploit reliability against the target build
Where this breaks in practice:
  • No public proof-of-concept was found
  • Closed-source or partially opaque firmware raises reverse-engineering cost
  • Exploit reliability on mobile targets is harder than popping a userland parser bug on a server
Detection/coverage: You may see crash artifacts or device instability, but prevention/detection products rarely expose this step directly.
STEP 03

Convert corruption into code execution on-device

If the write is exploitable, the attacker can land code execution with high impact to confidentiality, integrity, and availability on that handset. This is where the technical severity is real: one successful compromise can hand over the device, its data, and enterprise mobile access tokens. On a per-device basis that is ugly; at fleet scale it is still bounded by mobile fleet size and exploitability friction.
Conditions required:
  • Successful memory corruption primitive
  • Target defenses do not fully block code-reuse or execution flow hijack
  • The handset is valuable enough to justify the effort
Where this breaks in practice:
  • Modern Android hardening raises exploit-chain complexity
  • Blast radius is usually one handset at a time
  • Mobile threat defense tooling may catch follow-on malicious behavior even if it misses the exploit
Detection/coverage: Detection shifts from vulnerability discovery to post-exploitation signals: unusual process behavior, mobile EDR alerts, token abuse, and suspicious app/network activity.
STEP 04

Monetize the handset compromise

A compromised enterprise phone can expose email, messaging, MFA prompts, VPN posture, and SSO session material. That can support broader intrusion objectives, but only after the attacker has already beaten the earlier gating factors. This is why the bug is not *low* severity, but it is also why it does not deserve the same queue position as an internet-facing edge RCE with active exploitation.
Conditions required:
  • Enterprise data or auth material exists on the phone
  • Attacker maintains persistence long enough to use the access
  • UEM/MTD controls do not quarantine the device quickly
Where this breaks in practice:
  • Many enterprises containerize or limit mobile data exposure
  • Token protections and conditional access reduce post-compromise value
  • High-value mobile targeting is typically selective, not spray-and-pray
Detection/coverage: Conditional access logs, IdP anomalies, UEM compliance drift, and mobile threat defense telemetry are your best downstream signals.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation was found, and CISA's KEV catalog does not list CVE-2026-0122.
Proof-of-concept availabilityNo public PoC or weaponized exploit repo was found during review. That materially lowers near-term operational risk.
EPSS0.00035 from the prompt — effectively *very low* expected exploitation probability. Secondary trackers also show near-zero values, reinforcing the same conclusion.
KEV statusNot KEV-listed as of this assessment. No CISA due date applies.
CVSS vectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — the important part is AV:L: the attacker does not get a broad remote-from-the-internet path for free.
Affected version rangePublic affected-version detail is sparse. NVD shows a broad google:android CPE, but Google's March 2026 Pixel bulletin ties the issue to *Baseband* fixes on supported Google devices.
Fixed versionGoogle states that devices at Android/Pixel security patch level 2026-03-05 or later contain the relevant March 2026 fixes.
Exposure / scanning realityThis is not meaningfully internet-scannable in the way an edge appliance or web app is. Shodan/Censys-style external exposure counts are largely irrelevant because the asset is the handset/baseband, not a listening enterprise service.
Disclosure dateDisclosed on 2026-03-10; NVD published it on 2026-03-10 and added CPE/reference enrichment on 2026-03-11.
Reporting researcher / sourceSource is Google Devices. Public discovery attribution appears as *unknown* in secondary CVE mirrors; no named external researcher was exposed in the public advisory.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.3/10)

The decisive downgrading factor is attacker position: the published vector is AV:L, so this is not a mass-exploitable internet edge bug even though device impact can be severe. Combine that with no KEV entry, extremely low EPSS, no public PoC, and a blast radius largely confined to managed Android/Pixel handsets, and the enterprise patch priority drops into a normal mobile remediation lane.

HIGH Downgrade from vendor-style HIGH to enterprise-priority MEDIUM
MEDIUM Affected population specifics, because Google's public advisory is thin on exact version/model breakdown
MEDIUM Baseband interpretation, inferred from the March 2026 Pixel bulletin

Why this verdict

  • Start at 8.4, then cut for attacker position: AV:L is the biggest reality check. Requiring local reach or equivalent specialized access means this is already *post-initial-access* or niche radio targeting, not opportunistic internet exploitation.
  • Cut again for exposed population: this is a mobile-device issue, not a server or edge-control-plane issue. In a 10,000-host estate, only the managed Android/Pixel subset is even in scope.
  • Cut again for threat evidence: no KEV, EPSS 0.00035, and no public PoC means there is little sign that the broader attacker ecosystem is spending calories here right now.
  • Do not cut to LOW: if exploited successfully, memory corruption in a handset/baseband context can still produce full compromise of a business device and the identity/data tied to it.

Why not higher?

A higher bucket would require either broad reachability, strong active-exploitation evidence, or both. This case has neither: the published vector is local, the advisory detail is sparse, there is no KEV listing, and no public exploit chain is driving emergency pressure.

Why not lower?

This is still an out-of-bounds write with potential code execution, not a cosmetic bug. Even a narrow handset exploit can be high-impact for executives, admins, and anyone using the device for MFA, mail, chat, or conditional-access-backed enterprise apps.

05 · Compensating Control

What to do — in priority order.

  1. Enforce minimum Android patch level — Use UEM/MDM compliance policy to require Android security patch level 2026-03-05 or later on managed devices. Because this is a MEDIUM verdict there is no mitigation SLA; use the control as routine fleet hygiene while you complete remediation inside the 365-day window.
  2. Restrict high-risk mobile app sources — Reduce the chance of the AV:L prerequisite by tightening sideloading, unknown-source installs, and developer-mode exceptions on corporate devices. This directly attacks the most important friction point: getting code onto the phone in the first place.
  3. Prioritize high-value users first — Move executives, admins, and frequent travelers to the front of the mobile patch queue because a single handset compromise carries outsized identity and data value. There is no formal mitigation SLA for MEDIUM, but these users deserve an accelerated internal target.
  4. Require conditional access on mobile — If a handset is compromised, conditional access, device compliance, and app-level protections can reduce how useful that compromise becomes. Keep this in place continuously; it lowers business impact even when it cannot stop the vulnerability itself.
What doesn't work
  • A perimeter WAF does not help; the vulnerable asset is the handset/baseband path, not your web tier.
  • Traditional network vulnerability scanning does not solve this well; scanners cannot reliably interrogate mobile baseband state or prove exploitability from outside the device.
  • Relying on Play Protect alone is not enough; it may help against malicious apps, but it does not guarantee protection from a firmware/baseband memory corruption flaw.
06 · Verification

Crowdsourced verification payload.

Run this on the target Android device through adb shell or your mobile management remote shell. Example: adb push check_cve_2026_0122.sh /data/local/tmp/ && adb shell sh /data/local/tmp/check_cve_2026_0122.sh; no root is required, but the device must allow shell access.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/system/bin/sh
# check_cve_2026_0122.sh
# Purpose: Approximate exposure to CVE-2026-0122 by checking Android security patch level.
# Logic: Google's March 2026 bulletins state that 2026-03-05 or later addresses the relevant fixes.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

REQ_PATCH="2026-03-05"
PATCH_LEVEL="$(getprop ro.build.version.security_patch 2>/dev/null)"
MANUFACTURER="$(getprop ro.product.manufacturer 2>/dev/null)"
MODEL="$(getprop ro.product.model 2>/dev/null)"
ANDROID_VER="$(getprop ro.build.version.release 2>/dev/null)"

if [ -z "$PATCH_LEVEL" ]; then
  echo "UNKNOWN - security patch level not available via ro.build.version.security_patch"
  exit 2
fi

# Basic sanity check for YYYY-MM-DD
case "$PATCH_LEVEL" in
  ????-??-??) ;;
  *)
    echo "UNKNOWN - unexpected patch level format: $PATCH_LEVEL"
    exit 2
    ;;
esac

# Lexical compare works for YYYY-MM-DD strings
if [ "$PATCH_LEVEL" \< "$REQ_PATCH" ]; then
  echo "VULNERABLE - patch level $PATCH_LEVEL is older than required $REQ_PATCH (manufacturer='$MANUFACTURER' model='$MODEL' android='$ANDROID_VER')"
  exit 1
fi

if [ "$PATCH_LEVEL" \>= "$REQ_PATCH" ] 2>/dev/null; then
  :
fi

echo "PATCHED - patch level $PATCH_LEVEL meets or exceeds $REQ_PATCH (manufacturer='$MANUFACTURER' model='$MODEL' android='$ANDROID_VER')"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, pull a UEM report for all managed Android/Pixel devices and isolate the subset still below security patch level 2026-03-05. This lands as MEDIUM: there is no noisgate mitigation SLA — go straight to the 365-day remediation window, so do not burn your emergency queue on it; instead, patch the affected mobile fleet through normal change control and complete the vendor update inside the noisgate remediation SLA of ≤365 days, while front-loading executives, admins, and other high-value mobile users.

Sources

  1. NVD CVE-2026-0122
  2. Android Security Bulletin—March 2026
  3. Pixel Update Bulletin—March 2026
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS documentation
  6. FIRST EPSS data documentation
  7. OpenCVE record for CVE-2026-0122
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.