CVE-2026-0129 Overview
CVE-2026-0129 is an out-of-bounds read vulnerability in the Android RtcpByePacket::decodeByePacket function caused by a missing bounds check [CWE-120]. The flaw allows a remote attacker to disclose process memory contents without requiring additional execution privileges. Exploitation requires user interaction, which reduces the practical attack surface. Google addressed the issue in the Android Security Bulletin June 2026. The vulnerability affects Android devices that process Real-time Transport Control Protocol (RTCP) BYE packets through the affected media stack component.
Critical Impact
Remote attackers can read out-of-bounds memory from the Android media stack, leading to information disclosure when a user interacts with a crafted RTCP stream.
Affected Products
- Google Android (per Pixel Security Bulletin, June 2026)
- Devices processing RTCP BYE packets via the affected RtcpByePacket decoder
- Components tracked under CPE cpe:2.3:o:google:android
Discovery Timeline
- 2026-06-16 - CVE-2026-0129 published to the National Vulnerability Database
- 2026-06-01 - Google publishes the Android Security Bulletin addressing the issue
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0129
Vulnerability Analysis
The vulnerability resides in RtcpByePacket::decodeByePacket, a function responsible for parsing the BYE control packet within the RTCP protocol. RTCP BYE packets signal the end of participation in a Real-time Transport Protocol (RTP) session and carry a list of synchronization source (SSRC) identifiers along with an optional reason-for-leaving string.
The decoder fails to validate packet length boundaries before reading fields from the incoming buffer. An attacker controlling the RTCP stream can craft a malformed BYE packet that causes the parser to read beyond the allocated buffer. The disclosed memory may contain adjacent process state from the Android media framework.
Exploitation requires user interaction, such as accepting or joining a session that delivers the malicious RTCP traffic. The classification under [CWE-120] reflects a buffer copy without checking the size of the input, leading to an out-of-bounds memory read.
Root Cause
The root cause is a missing length validation between the RTCP header-declared packet size and the offset arithmetic used to extract SSRC entries and the optional reason field. Without this check, the decoder dereferences memory past the end of the legitimate packet payload.
Attack Vector
The attack vector is network-based. A remote peer or signaling endpoint delivers a malformed RTCP BYE packet through an active media session. The victim must interact with the session, for example by answering a Voice over IP (VoIP) call or joining a Web Real-Time Communication (WebRTC) channel that triggers parsing of the malicious packet. No additional privileges are needed once parsing occurs.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in the Android Security Bulletin June 2026.
Detection Methods for CVE-2026-0129
Indicators of Compromise
- Inbound RTCP packets with a payload type of 203 (BYE) where the declared length field is inconsistent with the actual buffer size.
- Repeated crashes or anomalous memory access patterns in Android media framework processes handling RTP/RTCP traffic.
- Unexpected outbound data flows following the receipt of malformed RTCP BYE packets from untrusted peers.
Detection Strategies
- Inspect RTCP traffic at the network boundary and validate that BYE packet length fields match the on-wire size.
- Alert on RTCP BYE packets containing more SSRC entries than the header length can legitimately contain.
- Correlate user interaction events (call answer, session join) with subsequent media-process anomalies on Android endpoints.
Monitoring Recommendations
- Collect mobile endpoint telemetry on Android security patch level to identify devices below the June 2026 patch baseline.
- Capture and retain RTP/RTCP flow metadata from enterprise VoIP and conferencing infrastructure for retrospective analysis.
- Monitor crash reports from the Android media stack for signatures involving RtcpByePacket decoding.
How to Mitigate CVE-2026-0129
Immediate Actions Required
- Apply the Android security patch level dated 2026-06-01 or later on all managed devices.
- Enforce minimum patch level policy through mobile device management (MDM) for users on VoIP and conferencing applications.
- Restrict RTCP traffic from untrusted networks at the edge where feasible.
Patch Information
Google released the fix in the June 2026 Android Security Bulletin. Refer to the Android Security Bulletin June 2026 for the patch identifier and the corresponding source changes in the Android Open Source Project (AOSP) media stack.
Workarounds
- Avoid joining real-time media sessions originating from untrusted endpoints until the device patch level reflects the June 2026 update.
- Constrain RTP/RTCP signaling to vetted Session Border Controllers (SBCs) that validate RTCP framing before forwarding traffic.
- Disable optional media features that rely on the affected decoder where the application permits configuration.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

