Skip to main content
CVE Vulnerability Database

CVE-2026-0146: Google Android RCE Vulnerability

CVE-2026-0146 is a remote code execution flaw in Google Android caused by an out of bounds write in mfc_core_get_dec_metadata_sei_nal. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-0146 Overview

CVE-2026-0146 is an out-of-bounds write vulnerability in the mfc_core_get_dec_metadata_sei_nal function of mfc_core_reg_api.c in Google Android. The flaw stems from a missing bounds check in the Multi-Format Codec (MFC) driver when handling Supplemental Enhancement Information (SEI) Network Abstraction Layer (NAL) metadata during video decoding. Attackers can trigger remote code execution without user interaction. The vulnerability is classified under [CWE-120] Buffer Copy without Checking Size of Input.

Critical Impact

Remote code execution within the media processing context without user interaction, enabling attackers to compromise Android devices through crafted media streams.

Affected Products

  • Google Android (per Android Security Bulletin June 2026)
  • Pixel devices receiving the 2026-06-01 security patch level
  • Devices using the affected MFC video codec driver

Discovery Timeline

  • 2026-06-16 - CVE-2026-0146 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0146

Vulnerability Analysis

The vulnerability resides in mfc_core_get_dec_metadata_sei_nal, a function within the Multi-Format Codec driver responsible for extracting SEI NAL unit metadata during hardware-accelerated video decoding. The function writes attacker-controlled metadata into a destination buffer without first validating the size of the input data. Attackers can craft media payloads that exceed the expected buffer length, corrupting adjacent kernel or driver memory.

Exploitation leads to remote code execution with the privileges of the media processing component. The CWE-120 classification confirms that the root cause is a classic buffer copy operation lacking input length validation.

Root Cause

The mfc_core_get_dec_metadata_sei_nal function reads SEI NAL metadata from a decoded video frame and copies it into a fixed-size buffer. Source code in mfc_core_reg_api.c omits the bounds check that would constrain the write to within allocated memory. When the supplied metadata exceeds the buffer capacity, the write overflows into adjacent memory regions.

Attack Vector

An attacker delivers a malicious video file or stream to the target device. Processing by the affected codec triggers the vulnerable code path. Because user interaction is not required for exploitation, attack scenarios include media auto-processing in messaging applications, browser-rendered video, or background media indexing. The vulnerability requires low privileges, consistent with access to the media service interface.

No verified public proof-of-concept code is available. Refer to the Android Security Bulletin June 2026 for vendor-confirmed technical details.

Detection Methods for CVE-2026-0146

Indicators of Compromise

  • Unexpected crashes or restarts of the media server or codec processes on Android devices
  • Kernel logs containing SIGSEGV or memory corruption signatures referencing mfc_core functions
  • Anomalous outbound network connections from media processing components following video playback

Detection Strategies

  • Monitor for crash dumps referencing mfc_core_get_dec_metadata_sei_nal or mfc_core_reg_api.c in logcat output and tombstone files
  • Inspect MDM telemetry for devices reporting security patch levels earlier than 2026-06-01
  • Apply behavioral analytics to flag media processes spawning unexpected child processes or accessing unusual file paths

Monitoring Recommendations

  • Track Android security patch level (ro.build.version.security_patch) across the device fleet
  • Alert on repeated media server crashes correlated with specific media file sources or URLs
  • Forward mobile endpoint telemetry to a centralized data lake for cross-device correlation of media-borne exploitation attempts

How to Mitigate CVE-2026-0146

Immediate Actions Required

  • Apply the Android security patch level 2026-06-01 or later on all affected devices
  • Prioritize patching for Pixel devices and OEM Android builds incorporating the MFC driver
  • Restrict installation of untrusted applications and disable auto-download of media in messaging clients

Patch Information

Google addressed the vulnerability in the June 2026 Android Security Bulletin. Device manufacturers must integrate the upstream fix into vendor-specific Android builds. Consult the Android Security Bulletin June 2026 for affected components, source patches, and OEM distribution timelines.

Workarounds

  • Disable auto-play and auto-download of video content in messaging and social applications until patches are applied
  • Avoid opening video files from untrusted senders or unknown sources
  • Enforce mobile device management policies that block sideloaded applications with media processing permissions
bash
# Verify Android security patch level on a device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.