Skip to main content
CVE Vulnerability Database

CVE-2026-0140: Google Android Information Disclosure Flaw

CVE-2026-0140 is an information disclosure vulnerability in Google Android caused by an out-of-bounds read in RtpPacket::decodePacket. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-0140 Overview

CVE-2026-0140 is an out-of-bounds read vulnerability in the Android RtpPacket::decodePacket function. The flaw stems from an integer overflow during Real-time Transport Protocol (RTP) packet decoding. A remote attacker can read memory contents beyond the intended buffer boundary, resulting in information disclosure. Exploitation requires user interaction but does not require additional execution privileges. The vulnerability is classified under [CWE-125] Out-of-Bounds Read and affects Google Android as documented in the June 2026 Android Security Bulletin.

Critical Impact

Remote attackers can disclose sensitive process memory contents by inducing a user to process a crafted RTP packet, with no elevated privileges required on the target device.

Affected Products

  • Google Android (per Android Security Bulletin 2026-06-01)
  • Pixel devices receiving the June 2026 security patch level
  • Android components handling RTP packet decoding in media/telephony stacks

Discovery Timeline

  • 2026-06-01 - Patch published in Android Security Bulletin (Pixel)
  • 2026-06-16 - CVE-2026-0140 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0140

Vulnerability Analysis

The vulnerability resides in RtpPacket::decodePacket, the routine responsible for parsing inbound RTP packets within Android's media handling code. An integer overflow occurs during length or offset arithmetic on attacker-controlled fields in the RTP header or payload. The overflowed value is subsequently used as a bounds parameter, causing the decoder to read past the end of the allocated buffer.

The disclosed memory may contain residual data from prior allocations within the same process, including session state, decoded media fragments, or other sensitive runtime values. The vulnerability does not enable code execution or memory modification, limiting impact to confidentiality. Exploitation requires the victim to interact with attacker-supplied media content, such as accepting a call or opening a crafted media stream.

Root Cause

The root cause is unchecked integer arithmetic on RTP packet length or offset fields prior to a buffer access. When the computed value wraps, the subsequent read operation references memory outside the legitimate packet buffer. The defect maps to [CWE-125] Out-of-Bounds Read, with an integer overflow precondition.

Attack Vector

The attack vector is network-based and triggered by a malformed RTP packet delivered through any Android pathway that invokes the affected decoder. Common delivery paths include Voice over IP (VoIP) calls, WebRTC sessions, and streaming media. User interaction is required to initiate or accept the media session that feeds the packet to RtpPacket::decodePacket.

No public proof-of-concept or exploit code is currently available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Android Security Bulletin 2026-06-01 for vendor technical details.

Detection Methods for CVE-2026-0140

Indicators of Compromise

  • Unexpected crashes or SIGSEGV signals in Android media processes referencing RtpPacket::decodePacket stack frames
  • Inbound RTP traffic from untrusted peers with malformed length fields or implausible header values
  • Anomalous VoIP or WebRTC session initiation from unknown SIP or signaling endpoints

Detection Strategies

  • Inspect network telemetry for RTP packets with header field values that would trigger arithmetic wraparound during length computation
  • Monitor Android tombstone and logcat output for repeated faults in RTP decoding components
  • Correlate VoIP/WebRTC session metadata with crash reports to identify attacker-controlled sources

Monitoring Recommendations

  • Centralize Android device crash and security log telemetry for fleet-wide visibility
  • Track Android security patch level distribution to confirm coverage of the June 2026 patch
  • Alert on outbound connections from media applications immediately following inbound RTP sessions, which may indicate exfiltration of leaked memory

How to Mitigate CVE-2026-0140

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) on all managed devices
  • Enforce minimum patch level policies through mobile device management (MDM) to block non-compliant devices
  • Restrict installation of VoIP and communication applications to vetted sources until devices are updated

Patch Information

Google released a fix in the June 2026 Android Security Bulletin. Devices receiving the security patch level 2026-06-01 or later contain the corrected RtpPacket::decodePacket implementation. Refer to the Android Security Bulletin 2026-06-01 for component-specific patch details and source references.

Workarounds

  • Disable or limit RTP-based services such as VoIP and WebRTC on devices that cannot be patched immediately
  • Block inbound RTP traffic from untrusted networks at the perimeter or via on-device firewall policies
  • Train users to reject unsolicited VoIP calls and media sessions from unknown contacts to remove the required user interaction

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.