CVE-2026-0146 Overview
CVE-2026-0146 is an out-of-bounds write vulnerability in the mfc_core_get_dec_metadata_sei_nal function of mfc_core_reg_api.c in Google Android. The flaw stems from a missing bounds check in the Multi-Format Codec (MFC) driver when handling Supplemental Enhancement Information (SEI) Network Abstraction Layer (NAL) metadata during video decoding. Attackers can trigger remote code execution without user interaction. The vulnerability is classified under [CWE-120] Buffer Copy without Checking Size of Input.
Critical Impact
Remote code execution within the media processing context without user interaction, enabling attackers to compromise Android devices through crafted media streams.
Affected Products
- Google Android (per Android Security Bulletin June 2026)
- Pixel devices receiving the 2026-06-01 security patch level
- Devices using the affected MFC video codec driver
Discovery Timeline
- 2026-06-16 - CVE-2026-0146 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0146
Vulnerability Analysis
The vulnerability resides in mfc_core_get_dec_metadata_sei_nal, a function within the Multi-Format Codec driver responsible for extracting SEI NAL unit metadata during hardware-accelerated video decoding. The function writes attacker-controlled metadata into a destination buffer without first validating the size of the input data. Attackers can craft media payloads that exceed the expected buffer length, corrupting adjacent kernel or driver memory.
Exploitation leads to remote code execution with the privileges of the media processing component. The CWE-120 classification confirms that the root cause is a classic buffer copy operation lacking input length validation.
Root Cause
The mfc_core_get_dec_metadata_sei_nal function reads SEI NAL metadata from a decoded video frame and copies it into a fixed-size buffer. Source code in mfc_core_reg_api.c omits the bounds check that would constrain the write to within allocated memory. When the supplied metadata exceeds the buffer capacity, the write overflows into adjacent memory regions.
Attack Vector
An attacker delivers a malicious video file or stream to the target device. Processing by the affected codec triggers the vulnerable code path. Because user interaction is not required for exploitation, attack scenarios include media auto-processing in messaging applications, browser-rendered video, or background media indexing. The vulnerability requires low privileges, consistent with access to the media service interface.
No verified public proof-of-concept code is available. Refer to the Android Security Bulletin June 2026 for vendor-confirmed technical details.
Detection Methods for CVE-2026-0146
Indicators of Compromise
- Unexpected crashes or restarts of the media server or codec processes on Android devices
- Kernel logs containing SIGSEGV or memory corruption signatures referencing mfc_core functions
- Anomalous outbound network connections from media processing components following video playback
Detection Strategies
- Monitor for crash dumps referencing mfc_core_get_dec_metadata_sei_nal or mfc_core_reg_api.c in logcat output and tombstone files
- Inspect MDM telemetry for devices reporting security patch levels earlier than 2026-06-01
- Apply behavioral analytics to flag media processes spawning unexpected child processes or accessing unusual file paths
Monitoring Recommendations
- Track Android security patch level (ro.build.version.security_patch) across the device fleet
- Alert on repeated media server crashes correlated with specific media file sources or URLs
- Forward mobile endpoint telemetry to a centralized data lake for cross-device correlation of media-borne exploitation attempts
How to Mitigate CVE-2026-0146
Immediate Actions Required
- Apply the Android security patch level 2026-06-01 or later on all affected devices
- Prioritize patching for Pixel devices and OEM Android builds incorporating the MFC driver
- Restrict installation of untrusted applications and disable auto-download of media in messaging clients
Patch Information
Google addressed the vulnerability in the June 2026 Android Security Bulletin. Device manufacturers must integrate the upstream fix into vendor-specific Android builds. Consult the Android Security Bulletin June 2026 for affected components, source patches, and OEM distribution timelines.
Workarounds
- Disable auto-play and auto-download of video content in messaging and social applications until patches are applied
- Avoid opening video files from untrusted senders or unknown sources
- Enforce mobile device management policies that block sideloaded applications with media processing permissions
# Verify Android security patch level on a device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

