Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0127

CVE-2026-0127: Google Android DoS Vulnerability

CVE-2026-0127 is a denial of service flaw in Google Android caused by an out-of-bounds read in NrmmMsgCodec that triggers communication processor crashes. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-0127 Overview

CVE-2026-0127 is an out-of-bounds read vulnerability in the Android communication processor stack. The flaw resides in NrmmMsgCodec::DecodeUPUTransparentContext within cn_NrmmDecoder.cpp. A malformed UPU transparent context message triggers memory corruption during decoding. Successful exploitation causes a communication processor crash, resulting in remote denial of service. The vulnerability requires no user interaction and grants no additional execution privileges. Google addressed the issue in the Android Security Bulletin June 2026. The weakness is classified as [CWE-125] Out-of-Bounds Read.

Critical Impact

Remote attackers can crash the Android communication processor without user interaction, disrupting cellular connectivity on affected devices.

Affected Products

  • Google Android (Pixel devices, June 2026 security patch level)
  • Devices using the cn_NrmmDecoder communication processor component
  • Android builds prior to the June 2026 security patch

Discovery Timeline

  • 2026-06-16 - CVE-2026-0127 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0127

Vulnerability Analysis

The vulnerability exists in the NrmmMsgCodec::DecodeUPUTransparentContext function inside cn_NrmmDecoder.cpp. This function decodes UE Policy Update (UPU) transparent context fields used in 5G NAS (Non-Access Stratum) messaging. The decoder reads beyond the allocated buffer boundaries when processing crafted input. This out-of-bounds read corrupts adjacent memory and destabilizes the communication processor. The crash terminates radio interface functionality until the device or modem subsystem restarts. The flaw maps to [CWE-125] Out-of-Bounds Read.

Root Cause

The codec lacks sufficient bounds validation when parsing UPU transparent context length fields. The function trusts attacker-controlled length descriptors embedded in the network payload. When the declared length exceeds the actual buffer size, the read operation traverses memory past the allocation boundary. This produces undefined behavior that the modem firmware cannot recover from gracefully.

Attack Vector

The attack requires network adjacency to deliver a malformed 5G NAS message to the target device. An attacker operating a rogue base station or compromised network element transmits the crafted UPU message. The Android communication processor decodes the message automatically upon receipt. No user interaction is required, and the device does not display any prompt before processing. Repeated delivery can produce sustained denial of service against the cellular interface.

No verified proof-of-concept code is publicly available for this vulnerability. See the Android Security Bulletin June 2026 for vendor technical details.

Detection Methods for CVE-2026-0127

Indicators of Compromise

  • Unexpected modem or radio interface crashes logged in logcat with references to NrmmMsgCodec or cn_NrmmDecoder
  • Repeated cellular connectivity drops without corresponding network outages
  • Modem restart events in the Android system log following NAS message reception
  • Devices stuck cycling between cellular states without successful registration

Detection Strategies

  • Monitor mobile device management (MDM) telemetry for elevated modem crash rates across managed fleets
  • Correlate radio interface failures with geographic clusters that may indicate rogue base station activity
  • Inspect device bug reports for tombstone files referencing the communication processor decoder
  • Track Android security patch level compliance to identify unpatched devices receiving June 2026 updates

Monitoring Recommendations

  • Enroll devices in enterprise MDM platforms that report crash analytics and patch level state
  • Establish baselines for cellular connectivity stability per device model and geography
  • Alert on anomalous concentrations of modem resets within short time windows
  • Review logs after travel to high-risk regions where rogue base station activity is plausible

How to Mitigate CVE-2026-0127

Immediate Actions Required

  • Apply the June 2026 Android security patch level or later to all affected devices
  • Prioritize patching for Pixel devices and any OEM builds incorporating the cn_NrmmDecoder component
  • Verify patch deployment through MDM compliance reporting
  • Restrict use of unpatched devices on untrusted cellular networks until updates are applied

Patch Information

Google released a fix in the June 2026 Android Security Bulletin. Devices with a security patch level of 2026-06-01 or later contain the corrected NrmmMsgCodec::DecodeUPUTransparentContext implementation. Refer to the Android Security Bulletin June 2026 for build identifiers and OEM update schedules.

Workarounds

  • Disable 5G standalone (SA) mode on affected devices where carrier configuration allows, falling back to LTE
  • Avoid connecting to unknown or unverified cellular networks until the patch is applied
  • Use airplane mode in environments where rogue base station activity is suspected
  • Enforce patch level requirements through conditional access policies on enterprise resources
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne