CVE-2026-0141 Overview
CVE-2026-0141 is an out-of-bounds (OOB) read vulnerability in the decodeAppPacket function of RtcpAppPacket.cpp in Google Android. The flaw stems from a missing bounds check during the decoding of RTCP (Real-time Transport Control Protocol) application packets. An attacker with low privileges can trigger remote information disclosure without user interaction. The weakness is classified under [CWE-120] (Buffer Copy without Checking Size of Input).
Critical Impact
Remote information disclosure from the Android RTCP packet handler without user interaction, exposing process memory contents to a network-positioned attacker.
Affected Products
- Google Android (per the June 2026 Pixel Security Bulletin)
Discovery Timeline
- 2026-06-16 - CVE-2026-0141 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in the NVD database
- 2026-06-01 - Addressed in the Android Security Bulletin June 2026
Technical Details for CVE-2026-0141
Vulnerability Analysis
The vulnerability resides in decodeAppPacket within RtcpAppPacket.cpp, the Android component responsible for parsing RTCP APP (Application-Defined) packets. RTCP APP packets carry application-specific control data alongside RTP media streams. The decoder reads fields from an attacker-controlled packet without validating that the declared length stays within the bounds of the received buffer. As a result, the function reads memory beyond the allocated packet buffer, returning adjacent process memory to logic that may transmit or expose it.
Because the affected code path processes network-sourced data, exploitation requires only that an attacker deliver a crafted RTCP packet to a vulnerable session. The CVSS vector indicates low privileges are required and no user interaction is necessary. Impact is limited to confidentiality, with no integrity or availability impact.
Root Cause
The root cause is a missing bounds check before reading length-prefixed or offset-based fields in the RTCP APP packet structure. The decoder trusts header-derived offsets without confirming they fall inside the buffer received from the network stack, allowing reads past the end of the allocation.
Attack Vector
An attacker positioned on the network path of an established RTP/RTCP session sends a malformed RTCP APP packet. The vulnerable decoder processes the packet within the media or telephony stack of the Android device. The OOB read returns adjacent heap or stack contents, which may include session state, keys, tokens, or other process memory that can be exfiltrated through error responses, telemetry, or subsequent protocol messages.
No verified proof-of-concept code is publicly available. Technical details are described in the Android Security Bulletin June 2026.
Detection Methods for CVE-2026-0141
Indicators of Compromise
- Anomalous RTCP APP packets with length fields that exceed the UDP payload size or RTCP compound packet boundary.
- Unexpected media or telephony process crashes referencing RtcpAppPacket or decodeAppPacket in tombstoned logs.
- Inbound RTP/RTCP traffic from sources outside known SIP, WebRTC, or VoIP signaling peers.
Detection Strategies
- Inspect RTCP traffic at network sensors and flag packets where the RTCP length field is inconsistent with the actual datagram size.
- Correlate logcat and crash dumps from media services with inbound network flows to identify malformed RTCP delivery attempts.
- Hunt mobile EDR telemetry for repeated crashes of media-handling processes following RTP session establishment.
Monitoring Recommendations
- Monitor Android device patch level for the 2026-06-01 security patch level or later across the fleet.
- Track RTP/RTCP-bearing applications (VoIP, conferencing, WebRTC) for abnormal session terminations or packet validation errors.
- Capture and retain RTCP packet metadata at mobile gateways to support retrospective investigation.
How to Mitigate CVE-2026-0141
Immediate Actions Required
- Apply the June 2026 Android security update (patch level 2026-06-01 or later) to all Pixel and OEM devices that have received the corresponding vendor update.
- Inventory devices that cannot receive the update and restrict their use of untrusted VoIP or WebRTC services.
- Validate that managed mobile devices report the expected post-patch build fingerprint through MDM.
Patch Information
Google released the fix as part of the Android Security Bulletin June 2026. The patch adds the missing bounds check in decodeAppPacket within RtcpAppPacket.cpp so that field offsets are validated against the actual packet length before any read occurs. OEM partners ship the fix in their respective monthly updates tied to the 2026-06-01 security patch level.
Workarounds
- Disable or restrict use of VoIP, video conferencing, and WebRTC applications on unpatched devices until vendor updates are installed.
- Route mobile RTP/RTCP traffic through SBCs or media gateways that perform strict RTCP packet validation and drop malformed APP packets.
- Enforce network segmentation and VPN policies so that media traffic only originates from trusted signaling peers.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

