Skip to main content
CVE Vulnerability Database

CVE-2026-0128: RtcpFbPacket Information Disclosure Flaw

CVE-2026-0128 is an information disclosure vulnerability in RtcpFbPacket caused by an out-of-bounds read from integer overflow. Attackers can remotely access sensitive data with user interaction required.

Published:

CVE-2026-0128 Overview

CVE-2026-0128 is an out-of-bounds read vulnerability in the RtcpFbPacket::decodeRtcpFbPacket function. An integer overflow during RTCP Feedback packet decoding allows attackers to read memory outside of allocated bounds. The flaw enables remote information disclosure without requiring additional execution privileges. User interaction is required for exploitation. The vulnerability was disclosed in the Android Security Bulletin for June 2026 and affects components that parse Real-time Transport Control Protocol (RTCP) feedback packets.

Critical Impact

Remote attackers can leak sensitive process memory from devices that decode crafted RTCP feedback packets, exposing data such as cryptographic material, session state, or memory layout information useful for further exploitation.

Affected Products

  • Android (component implementing RtcpFbPacket::decodeRtcpFbPacket)
  • Devices receiving Android Security Bulletin updates for June 2026
  • Pixel devices per the June 2026 Pixel Update Bulletin

Discovery Timeline

  • 2026-06-16 - CVE-2026-0128 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0128

Vulnerability Analysis

The vulnerability resides in RtcpFbPacket::decodeRtcpFbPacket, the decoder responsible for parsing RTCP Feedback packets. RTCP Feedback packets carry control information used during real-time media sessions, including transport feedback, NACKs, and Picture Loss Indications. The decoder performs arithmetic on packet length fields supplied by the remote peer. When these length values are multiplied or added without sufficient validation, the resulting computation wraps around the bounds of the integer type. The undersized result is then used as a buffer length or read offset, causing the routine to read memory past the end of the allocated packet buffer.

Because the read occurs in a media handling code path that runs within a privileged media or telephony process, leaked bytes may include sensitive runtime state. The vulnerability is classified as an Out-of-Bounds Read [CWE-125] caused by an Integer Overflow [CWE-190].

Root Cause

The root cause is missing or insufficient validation of length values inside the RTCP Feedback Control Information (FCI) header before they are used in pointer arithmetic. The integer overflow produces a small value that bypasses subsequent size checks, allowing the decoder to dereference memory outside the bounds of the source buffer.

Attack Vector

An attacker delivers a malicious RTCP Feedback packet during a real-time communication session, such as a Voice over IP call, video conference, or WebRTC session. User interaction is required, meaning the victim must initiate or accept a session that exposes the vulnerable decoder to attacker-controlled RTCP traffic. Successful exploitation discloses memory content back to the attacker through subsequent protocol behavior or out-of-band channels.

No verified public exploit code is available. See the Android Security Bulletin June 2026 for technical details.

Detection Methods for CVE-2026-0128

Indicators of Compromise

  • Malformed RTCP Feedback packets with length fields whose product overflows 16-bit or 32-bit integer arithmetic
  • Repeated abnormal RTCP traffic from untrusted SIP, WebRTC, or media gateways during call setup
  • Crashes or anomalous memory reads in media or telephony processes correlated with RTCP packet receipt

Detection Strategies

  • Inspect RTCP packets at network boundaries for inconsistencies between the declared length field and the actual UDP payload size
  • Hunt for telephony or media process crashes in device logs immediately following inbound RTCP traffic
  • Correlate signaling logs from SIP or WebRTC infrastructure with anomalous packet sizes targeting RTCP Feedback message types

Monitoring Recommendations

  • Enable verbose logging on session border controllers and media relays to capture RTCP header anomalies
  • Monitor mobile device management (MDM) telemetry for Android patch level adoption against the June 2026 bulletin
  • Track outbound flows from devices after suspicious RTCP traffic to identify potential information disclosure channels

How to Mitigate CVE-2026-0128

Immediate Actions Required

  • Apply the Android security patch level dated 2026-06-01 or later on all managed Android and Pixel devices
  • Restrict acceptance of inbound RTCP traffic to known, authenticated media peers using session border controllers
  • Disable or constrain WebRTC and Voice over IP applications that cannot be updated until patches are available

Patch Information

Google published the fix in the Android Security Bulletin June 2026. Device manufacturers distribute the patch through their standard Android security update channels. Verify the security patch level on the device matches 2026-06-01 or later.

Workarounds

  • Block untrusted RTCP feedback traffic at the network perimeter where business requirements allow
  • Require Secure RTCP (SRTCP) with authenticated peers to limit exposure to anonymous attackers
  • Avoid joining real-time media sessions from unknown originators on unpatched devices
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.