CVE-2026-0131 Overview
CVE-2026-0131 affects Google Android. The vulnerability resides in RtpPacket::decodePacket, where an integer overflow allows out-of-bounds access during Real-time Transport Protocol (RTP) packet parsing [CWE-125]. Successful exploitation enables local escalation of privilege without requiring additional execution privileges. User interaction is required to trigger the flaw, typically through processing a crafted RTP stream. Google published the fix in the Android Security Bulletin June 2026.
Critical Impact
A local attacker can leverage an integer overflow in RTP packet decoding to achieve privilege escalation on affected Android devices after user interaction.
Affected Products
- Google Android (per CPE cpe:2.3:o:google:android:-:*:*:*:*:*:*:*)
- Pixel devices covered by the June 2026 Pixel security bulletin
- Android builds shipping the vulnerable RTP stack prior to the June 2026 patch level
Discovery Timeline
- 2026-06-16 - CVE-2026-0131 published to the National Vulnerability Database
- 2026-06-17 - Entry last modified in NVD
Technical Details for CVE-2026-0131
Vulnerability Analysis
The defect occurs inside RtpPacket::decodePacket, a function responsible for parsing inbound RTP packets used in audio and video streaming on Android. The implementation performs arithmetic on attacker-influenced length or offset fields without sufficient bounds validation. When the calculation overflows the integer range, the resulting value wraps to a small or negative quantity, bypassing subsequent size checks.
The code then uses the wrapped value as an index or length into the packet buffer. This causes the decoder to read memory outside the bounds of the intended buffer. The out-of-bounds access can be steered by the attacker to influence control flow inside a privileged media process, yielding local privilege escalation.
The CWE-125 classification reflects the out-of-bounds read symptom, while the underlying root cause is the integer overflow in size arithmetic. Exploitation requires the victim to interact with malicious media content, for example by opening a crafted file or joining a hostile streaming session.
Root Cause
The RTP decoder trusts arithmetic over packet-supplied length fields. Multiplying or adding these values produces an overflow when the inputs exceed the representable range of the integer type. The check that follows compares the overflowed result against a buffer limit, which incorrectly succeeds. The vulnerable path then accesses the buffer using the unsafe value.
Attack Vector
The attack vector is local. An attacker delivers a crafted RTP payload that the targeted Android device decodes, for example through a malicious application invoking media APIs or through a hostile streaming endpoint. After the user interacts with the attacker-controlled content, the integer overflow triggers the out-of-bounds access in the media component, allowing privilege escalation within the device.
No public proof-of-concept is referenced in the advisory, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Android Security Bulletin June 2026 for component-level technical details.
Detection Methods for CVE-2026-0131
Indicators of Compromise
- Unexpected crashes or SIGSEGV signals in Android media processes handling RTP traffic
- Native crash logs referencing RtpPacket::decodePacket or adjacent RTP parsing symbols
- Installation of unverified applications immediately preceding media-related process instability
Detection Strategies
- Compare device security patch level against the June 2026 Android Security Bulletin baseline to identify unpatched fleet endpoints.
- Hunt mobile device management (MDM) telemetry for applications requesting RTP-capable media permissions from untrusted sources.
- Review crash and tombstone artifacts from Android media services for repeated faults inside RTP decoding routines.
Monitoring Recommendations
- Centralize Android crash reports and tombstones for correlation against known RTP parsing symbols.
- Monitor enterprise application catalogs and sideload events for media-handling applications that may deliver crafted RTP payloads.
- Track patch compliance for the June 2026 Android security patch level across the managed device estate.
How to Mitigate CVE-2026-0131
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) on all affected devices.
- Restrict installation of applications to vetted sources and block sideloading where policy permits.
- Advise users to avoid opening untrusted media files, streams, or links until devices are patched.
Patch Information
Google addressed the issue in the June 2026 Android Security Bulletin. Devices reporting a security patch level of 2026-06-01 or later contain the fix. Pixel and partner OEM updates are tracked in the Android Security Bulletin June 2026. Enterprise administrators should enforce patch compliance through MDM policies.
Workarounds
- Disable or limit applications that process untrusted RTP streams until the patch is deployed.
- Enforce Play Protect and verified application sources to reduce exposure to malicious media-handling apps.
- Use MDM conditional access to deny corporate resource access from devices below the 2026-06-01 patch level.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

