CVE-2026-0135 Overview
CVE-2026-0135 is an out-of-bounds read vulnerability in the Modem component of Google Android. The flaw stems from a missing bounds check that allows attackers to read memory outside the intended buffer. According to Google, the issue could lead to remote code execution without requiring additional execution privileges. User interaction is not required for exploitation.
The vulnerability is tracked under [CWE-125: Out-of-bounds Read] and affects the cellular Modem subsystem on Android. Google addressed the issue in the Android Security Bulletin June 2026.
Critical Impact
A missing bounds check in the Android Modem component enables out-of-bounds memory reads that can escalate to remote code execution without user interaction.
Affected Products
- Google Android (Modem component)
- Google Pixel devices covered by the June 2026 security bulletin
- Android builds prior to the June 2026 security patch level
Discovery Timeline
- 2026-06-16 - CVE-2026-0135 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0135
Vulnerability Analysis
The vulnerability resides in the Modem component used by Android to manage cellular baseband communication. A code path processes input data without validating the length or offset against the allocated buffer size. As a result, the Modem reads memory beyond the buffer boundary.
Google states that this out-of-bounds read can lead to remote code execution with no additional execution privileges. The condition arises because adjacent memory regions can be interpreted as control data, function pointers, or length fields by downstream parsing logic. An attacker who influences the contents of the surrounding memory can steer execution flow.
The CVSS vector indicates a local attack vector with low complexity and low privileges, and exploitation does not require user interaction. The flaw impacts confidentiality, integrity, and availability of the device.
Root Cause
The root cause is a missing bounds check in the Modem code path that handles structured input. The implementation trusts a size or index value without comparing it to the destination buffer length. This classifies the defect as [CWE-125] Out-of-bounds Read.
Attack Vector
An attacker with the ability to send crafted input to the Modem component triggers the read primitive. Combined with weak validation in adjacent parsing logic, the leaked or misinterpreted data can be transformed into remote code execution. No user interaction is required, which raises the practical risk for devices that process untrusted baseband input.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Android Security Bulletin June 2026 for component-specific technical references.
Detection Methods for CVE-2026-0135
Indicators of Compromise
- Unexpected Modem crashes, resets, or radio interface layer (RIL) restarts logged in logcat or dmesg.
- Anomalous cellular baseband memory dumps or vendor-specific Modem ramdumps generated outside normal operating conditions.
- Devices reporting a security patch level earlier than the June 2026 Android Security Bulletin.
Detection Strategies
- Inventory all managed Android devices and compare their ro.build.version.security_patch value against the 2026-06-01 patch level.
- Use mobile device management (MDM) compliance policies to flag devices missing the June 2026 security patch.
- Monitor vendor crash telemetry from the Modem subsystem for repeated faults that could indicate exploitation attempts.
Monitoring Recommendations
- Forward Android device posture data to a centralized SIEM and alert on missing security patch levels.
- Track cellular baseband stability metrics across the fleet and investigate clusters of Modem resets.
- Review carrier and roaming logs for anomalous signaling that targets vulnerable devices.
How to Mitigate CVE-2026-0135
Immediate Actions Required
- Apply the Android security patch level 2026-06-01 or later to all managed devices.
- Prioritize patching of Pixel and OEM devices that handle sensitive communications or operate in high-risk environments.
- Enforce MDM policies that block or quarantine devices running pre-June 2026 patch levels.
Patch Information
Google published the fix in the Android Security Bulletin June 2026. Devices must be updated to a build that reports a security patch level of 2026-06-01 or later. OEM and carrier patches may follow Google's release on a staggered schedule, so confirm availability with the device vendor.
Workarounds
- No vendor-supplied workaround eliminates the vulnerability; only the official patch resolves the issue.
- Reduce exposure by disabling cellular connectivity on devices that can operate on Wi-Fi only until patches are applied.
- Restrict use of unpatched devices on untrusted cellular networks and enforce conditional access policies.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

