Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0144

CVE-2026-0144: Google Android DOS Vulnerability

CVE-2026-0144 is a denial of service vulnerability in Google Android caused by a missing bounds check in AocAudioCodec.cpp. Attackers can remotely trigger DOS without privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0144 Overview

CVE-2026-0144 is a memory safety vulnerability in the writeAocCommand function of AocAudioCodec.cpp in Google Android. The flaw stems from a missing bounds check that allows attackers to trigger a remote denial of service (DoS) condition. Exploitation requires no user interaction and grants no additional execution privileges. The vulnerability is categorized under [CWE-120] (Buffer Copy without Checking Size of Input).

Google disclosed the issue through the Android Pixel Security Bulletin on June 1, 2026.

Critical Impact

Successful exploitation results in a remote denial of service against the audio codec subsystem, disrupting device availability without requiring user interaction.

Affected Products

  • Google Android (Pixel devices)
  • Android audio codec component (AocAudioCodec.cpp)
  • Devices using the AoC (Always-on Compute) audio subsystem

Discovery Timeline

  • 2026-06-01 - Google publishes Android Pixel Security Bulletin
  • 2026-06-16 - CVE-2026-0144 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0144

Vulnerability Analysis

The vulnerability resides in the writeAocCommand routine within AocAudioCodec.cpp, a component responsible for sending commands to the AoC (Always-on Compute) audio codec subsystem on Pixel devices. The function fails to validate the size of input data before writing it into a destination buffer. An attacker who can supply crafted command data to this code path can cause a memory safety violation that crashes the audio codec service.

The impact is limited to availability. The CVSS vector indicates no impact to confidentiality or integrity, and the scope is unchanged. However, the flaw can be triggered over a network attack vector with low privileges and no user interaction, making it suitable for automated abuse against reachable devices.

Root Cause

The root cause is a missing bounds check before a buffer write operation in writeAocCommand. [CWE-120] describes this class of defect: data is copied into a fixed-size buffer without verifying that the source length fits the destination. When oversized or malformed input reaches the function, memory corruption or an out-of-bounds write occurs, terminating the codec process.

Attack Vector

Exploitation requires the attacker to reach the AoC audio codec interface with low-privilege credentials on the target system. Once reachable, the attacker sends a crafted command payload that exceeds the expected buffer length. The bounds check absence causes the codec process to crash, denying audio functionality and potentially destabilizing dependent services. No additional execution privileges are obtained, and user interaction is not required.

Technical specifics of the vulnerable code path are detailed in the Android Pixel Security Bulletin. No public proof-of-concept exploit is available at the time of publication.

Detection Methods for CVE-2026-0144

Indicators of Compromise

  • Repeated crashes or restarts of the Android audio codec service or AoC subsystem in device logs.
  • tombstone files in /data/tombstones/ referencing AocAudioCodec or writeAocCommand.
  • Unexpected loss of audio functionality on Pixel devices following remote command activity.

Detection Strategies

  • Monitor logcat output and kernel logs for repeated faults referencing the AoC audio codec component.
  • Correlate audio service crashes across managed Pixel fleets to surface coordinated DoS attempts.
  • Inspect mobile device management (MDM) telemetry for devices reporting elevated crash rates on audio subsystems.

Monitoring Recommendations

  • Enroll Pixel devices into MDM solutions that report security patch level and crash telemetry.
  • Track the Android security patch level on managed endpoints to confirm the June 2026 bulletin level is applied.
  • Alert on devices that fall behind the current patch baseline or that exhibit recurring audio service failures.

How to Mitigate CVE-2026-0144

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) to all affected Pixel devices.
  • Inventory all Pixel devices in the environment and verify their current Android security patch level.
  • Restrict network exposure of audio-related interfaces on managed Android devices until patches are deployed.

Patch Information

Google addressed CVE-2026-0144 in the June 2026 Pixel security bulletin. Devices must be updated to the 2026-06-01 security patch level or later. Refer to the Android Pixel Security Bulletin for the full list of affected builds and patch identifiers.

Workarounds

  • No vendor-supplied workaround exists; applying the security patch is the only supported remediation.
  • Limit access to local network segments where untrusted devices could reach Pixel endpoints.
  • Enforce MDM policies that block installation of untrusted applications capable of invoking the audio codec interface.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne