← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0123 · CWE-787 · Disclosed 2026-03-03

In EfwApTransport::ProcessRxRing of efw_ap_transport

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a trapdoor inside a locked room, not a hole in the front gate

CVE-2026-0123 is a memory-corruption bug in EfwApTransport::ProcessRxRing (efw_ap_transport.cc) caused by a missing bounds check, allowing an out-of-bounds write. Google ties it to the Pixel bulletin under the AOC subcomponent, and Google's OSV record marks it as Pixel-family specific with the fix landing at Pixel security patch level 2026-03-05; practically, that means supported Pixel devices below 2026-03-05 are the exposed set, not the whole Android ecosystem.

In reality this lands below the scary-sounding memory-corruption headline. The attacker needs local code execution on the device first—typically a malicious app or a prior foothold—so this is post-initial-access privilege escalation, not an internet-reachable compromise path. Google itself labeled it *Moderate* in the Pixel bulletin, and that matches the real-world picture better than the later enrichment-style 8.4/High CVSS math: narrow device population, local-only reachability, no KEV listing, tiny EPSS, and no public exploit trail.

"= ASSESSED AT MEDIUM: local-only, Pixel-specific EoP with no exploit evidence is a cleanup job, not a fleet fire"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code on the handset

The attacker first needs code execution on the target Pixel device, most plausibly by getting a user to install a malicious app, abusing sideloading, or chaining from another app-level bug. This CVE does not provide initial access by itself; it is a privilege-escalation stage after the adversary already has code running in user space.
Conditions required:
  • Affected Google Pixel device
  • Security patch level earlier than 2026-03-05
  • Ability to run attacker-controlled code locally on the device
Where this breaks in practice:
  • Managed enterprise Android fleets often restrict app installs with EMM/MDM and app allowlisting
  • Google Play Protect and mobile threat defense reduce the odds of commodity malicious-app delivery
  • If the estate has few or no Pixel devices, reachable population collapses immediately
Detection/coverage: Detection is weak at exploit stage; most defenders will only see the prerequisite via MDM app inventory, Play Protect alerts, or mobile threat defense telemetry.
STEP 02

Reach the AOC transport surface

The malicious local code then has to interact with the AOC transport path exposed to the device OS and drive input into EfwApTransport::ProcessRxRing. Based on Google's bulletin and OSV metadata, this is a Pixel-specific component path rather than a generic Android framework service.
Conditions required:
  • The local foothold can access the relevant device interface or service path
  • The vulnerable AOC transport implementation is present on that Pixel build
Where this breaks in practice:
  • AOC is niche and Pixel-specific, which limits attacker reuse across broader Android fleets
  • Non-public bug details mean exploit developers must reverse engineer the interface and memory layout
  • OS version, device model, and firmware differences can make exploit reliability messy
Detection/coverage: Commercial mobile scanners generally cannot validate this interface directly; they infer exposure from model/build/patch level.
STEP 03

Trigger the out-of-bounds write

A crafted message or ring-buffer state is used to hit the missing bounds check in ProcessRxRing, producing an out-of-bounds write. That gives the attacker a memory-corruption primitive inside a privileged device component path and opens the door to escalation beyond the original app sandbox.
Conditions required:
  • Precisely formed input that reaches the vulnerable code path
  • Device/build conditions compatible with stable memory corruption
Where this breaks in practice:
  • Memory-corruption bugs are not automatically reliable EoP wins; exploit stability still matters
  • Modern hardening can turn crashes into dead ends on some builds
  • No public PoC means defenders are not facing a copy-paste exploit ecosystem today
Detection/coverage: Runtime exploit detection is limited; in practice you may only catch side effects such as component crashes, unusual privileged behavior, or post-exploitation artifacts.
STEP 04

Escalate privilege on-device

If the corruption is weaponized successfully, the attacker crosses an on-device privilege boundary and upgrades the initial local foothold. The CVE description explicitly frames the end state as local elevation of privilege with no extra execution privileges and no user interaction required once the attacker already has code on the phone.
Conditions required:
  • Successful exploit reliability on the target model/build
  • A useful path from memory corruption to a higher-privilege context
Where this breaks in practice:
  • Blast radius is per-device, not fleet-wide from the network edge
  • The attacker still has to solve persistence, delivery, and scale separately
  • Enterprise impact depends heavily on whether the device is corporate-managed and actually used for sensitive workflows
Detection/coverage: MDM compliance drift, anomalous privileged app behavior, and mobile EDR/MTD telemetry are more realistic signals than traditional network detection.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of exploitation found in the sources reviewed. Google noted targeted exploitation for a *different* March 2026 Android CVE, not this one, and CVE-2026-0123 is not called out as exploited.
KEV statusNot listed in CISA KEV as of the current catalog check.
PoC availabilityNo public GitHub or researcher PoC surfaced in review. The Android bug ID is marked with * in the Pixel bulletin, meaning the underlying issue details are not publicly available, which raises exploit-development friction.
EPSS0.00008 (~0.008%) from the supplied intel, which is effectively floor-level likelihood compared with remotely exploitable enterprise bugs.
CVSS contextThere is no vendor baseline CVSS in the Pixel bulletin. Separate enrichment sources later show AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, but that math overstates operational urgency because AV:L means the attacker already has code execution on the handset.
Affected scopeGoogle's OSV entry marks this as Pixel-family specific under AOC, not a generic Android-wide issue.
Fixed versionFixed for Google devices at Pixel security patch level 2026-03-05.
Exposure telemetryInference: Shodan/Censys/FOFA/GreyNoise-style internet telemetry is not useful here because this is a local device vulnerability, not an exposed network service.
Disclosure datePublicly disclosed in Google's March 2026 Pixel bulletin, published 2026-03-03; the OSV record for PUB-A-430693465 is dated 2026-03-01.
Reporter / referenceThe public bulletin attributes it only to Android bug A-430693465; no independent researcher credit was exposed in the reviewed public sources.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (5.6/10)

The deciding factor is attacker position: this bug is only useful after the adversary already has local code execution on an affected Pixel device. That prerequisite sharply narrows both reachable population and enterprise urgency, despite the technically serious memory-corruption impact once triggered.

HIGH Affected scope is Pixel-family specific and fixed at Pixel patch level `2026-03-05`
HIGH Operational urgency is reduced by the required local foothold and lack of internet exposure
MEDIUM Exact exploitability details are limited because the Android bug remains non-public

Why this verdict

  • Start point: there is no vendor CVSS baseline to compare against, so this is a first-principles severity call rather than an upgrade or downgrade
  • Primary friction — local attacker position: exploitation requires AV:L, which implies the attacker already has code execution on the device; that is post-initial-access, not initial compromise
  • Reachable population is narrow: Google's own OSV data marks the issue as *Pixel-family specific*, so this is not a full Android-fleet problem
  • Exposure is not internet-scale: no external service, no perimeter spray-and-pray path, and no Shodan/Censys-style surface means far lower mass-exploitation potential
  • Exploit pressure is low: no KEV listing, no public exploitation evidence in reviewed sources, no public PoC found, and EPSS is effectively near-zero

Why not higher?

A higher bucket would require some combination of broad exposure, active exploitation, or a path that materially helps attackers get *onto* devices. This bug does none of that. It is dangerous only after a local foothold exists, and the affected population is narrowed further by the Pixel/AOC scope.

Why not lower?

It should not be pushed down to LOW because successful exploitation can still collapse an on-device privilege boundary with no extra privileges or user interaction once code is running locally. On managed mobile fleets, local EoP bugs still matter because they can convert a low-privilege malicious app into a more serious device compromise.

05 · Compensating Control

What to do — in priority order.

  1. Query your MDM for Pixel patch laggards — Identify Google Pixel devices below security patch level 2026-03-05 and separate them from the broader Android population. There is no noisgate mitigation SLA for a MEDIUM here, so use this immediately for scoping and drive remediation inside the 365-day window rather than treating all Android devices as equally exposed.
  2. Tighten app-install policy — This CVE needs local code execution first, so reducing untrusted app delivery is the best compensating control. Enforce managed Play, block sideloading where business permits, and require approved app catalogs on affected Pixel users; for this MEDIUM, that is risk reduction during the normal remediation cycle, not an emergency control.
  3. Verify Play Protect and MTD coverage — Play Protect and mobile threat defense are the tools most likely to break the prerequisite malicious-app stage before this vulnerability matters. Confirm they are enabled and reporting on corporate Pixel devices while patch compliance works through the normal remediation window.
  4. Prioritize high-risk user cohorts — If your fleet includes executives, admins, developers, journalists, or other higher-targeting-risk Pixel users, move those devices to the front of the patch queue first. Even for a MEDIUM, the most sensible sequencing is to patch the smallest number of highest-consequence devices earliest.
What doesn't work
  • Perimeter IDS/IPS or WAF controls do not help because there is no network-exposed attack surface to block.
  • Generic vulnerability scanning from the network will not validate this bug; exposure is determined mainly by device model family and Android security patch level.
  • MFA does nothing for the vulnerable code path; this is about local device exploitation after code already runs on the handset.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed and USB debugging or enterprise ADB access to the target Pixel device. Invoke it as ./check_cve_2026_0123.sh <serial> or omit the serial if only one device is connected; no root is required, but you do need permission to use adb shell getprop on the device.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_0123.sh
# Determine likely exposure to CVE-2026-0123 on an Android device via ADB.
# Logic:
#   - Vulnerability is Pixel-family specific per Google's OSV record.
#   - Fixed at Pixel security patch level 2026-03-05.
# Output:
#   VULNERABLE / PATCHED / UNKNOWN
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

set -euo pipefail

TARGET_SERIAL="${1:-}"
ADB=(adb)
if [[ -n "$TARGET_SERIAL" ]]; then
  ADB+=( -s "$TARGET_SERIAL" )
fi

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

if ! command -v adb >/dev/null 2>&1; then
  fail_unknown "adb not found in PATH"
fi

STATE="$(${ADB[@]} get-state 2>/dev/null || true)"
if [[ "$STATE" != "device" ]]; then
  fail_unknown "no accessible adb device"
fi

getprop_safe() {
  ${ADB[@]} shell getprop "$1" 2>/dev/null | tr -d '\r'
}

MANUFACTURER="$(getprop_safe ro.product.manufacturer)"
BRAND="$(getprop_safe ro.product.brand)"
MODEL="$(getprop_safe ro.product.model)"
PATCH="$(getprop_safe ro.build.version.security_patch)"
ANDROID_VER="$(getprop_safe ro.build.version.release)"

if [[ -z "$PATCH" ]]; then
  fail_unknown "security patch level unavailable"
fi

# Normalize to lowercase for comparisons
MANUFACTURER_LC="$(printf '%s' "$MANUFACTURER" | tr '[:upper:]' '[:lower:]')"
BRAND_LC="$(printf '%s' "$BRAND" | tr '[:upper:]' '[:lower:]')"
MODEL_LC="$(printf '%s' "$MODEL" | tr '[:upper:]' '[:lower:]')"

# Heuristic: Pixel-family specific exposure. If it's clearly not Google/Pixel, mark UNKNOWN rather than PATCHED.
IS_PIXEL=0
if [[ "$MANUFACTURER_LC" == *google* ]] || [[ "$BRAND_LC" == *google* ]] || [[ "$MODEL_LC" == *pixel* ]]; then
  IS_PIXEL=1
fi

if [[ "$IS_PIXEL" -ne 1 ]]; then
  echo "UNKNOWN: device does not appear to be a Google Pixel family device | manufacturer=$MANUFACTURER brand=$BRAND model=$MODEL android=$ANDROID_VER patch=$PATCH"
  exit 2
fi

FIXED_PATCH="2026-03-05"

# Lexicographic compare works for YYYY-MM-DD
if [[ "$PATCH" < "$FIXED_PATCH" ]]; then
  echo "VULNERABLE: Pixel-family device below fixed patch level | manufacturer=$MANUFACTURER brand=$BRAND model=$MODEL android=$ANDROID_VER patch=$PATCH fixed=$FIXED_PATCH"
  exit 1
fi

if [[ "$PATCH" >= "$FIXED_PATCH" ]]; then
  echo "PATCHED: Pixel-family device at or above fixed patch level | manufacturer=$MANUFACTURER brand=$BRAND model=$MODEL android=$ANDROID_VER patch=$PATCH fixed=$FIXED_PATCH"
  exit 0
fi

fail_unknown "unexpected comparison state"
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, pull an MDM report for Google Pixel devices still below security patch level 2026-03-05, confirm whether you even have a meaningful Pixel population, and keep this out of emergency change control unless you also have signs of device compromise. There is no noisgate mitigation SLA for this MEDIUM — go straight to the 365-day remediation window — so the right move is normal mobile patch governance, app-install hardening, and risk-based prioritization of higher-value users, with actual patch completion for affected Pixels inside the noisgate remediation SLA of <= 365 days.

Sources

  1. Google Pixel Update Bulletin — March 2026
  2. Android Security Bulletin — March 2026
  3. Google OSV entry PUB-A-430693465
  4. Google Android OSV JSON for PUB-A-430693465
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS data and stats
  7. OpenCVE mirror of CVE-2026-0123 with CISA ADP enrichment
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.