Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0147

CVE-2026-0147: Google Android RCE Vulnerability

CVE-2026-0147 is a remote code execution vulnerability in Google Android caused by an out of bounds write in mfc_core_nal_q.c. This flaw allows attackers to execute code remotely without user interaction. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0147 Overview

CVE-2026-0147 is an out-of-bounds write vulnerability in the Android kernel's Multi-Format Codec (MFC) component. The flaw exists in the __mfc_core_nal_q_get_dec_metadata_sei_nal function within mfc_core_nal_q.c. A missing bounds check during parsing of Supplemental Enhancement Information (SEI) Network Abstraction Layer (NAL) units allows writes beyond allocated memory.

Successful exploitation can lead to remote code execution without additional execution privileges. User interaction is not required to trigger the condition. Google addressed the vulnerability in the June 2026 Android Security Bulletin.

Critical Impact

Attackers can achieve remote code execution on affected Android devices by delivering crafted video metadata, with no user interaction required.

Affected Products

  • Google Android (Pixel devices)
  • Android kernel MFC driver (mfc_core_nal_q.c)
  • Devices receiving the 2026-06-01 security patch level

Discovery Timeline

  • 2026-06-16 - CVE-2026-0147 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • 2026-06-01 - Google released security patch via the Android Security Bulletin

Technical Details for CVE-2026-0147

Vulnerability Analysis

The vulnerability resides in __mfc_core_nal_q_get_dec_metadata_sei_nal, a function that processes decoder metadata from SEI NAL units inside the MFC kernel driver. SEI NAL units carry auxiliary metadata associated with encoded video streams such as H.264 and HEVC.

The function copies SEI payload data into a destination buffer without validating the source length against the destination size. This classifies the issue under [CWE-120] Buffer Copy without Checking Size of Input. An attacker who supplies a crafted video stream can overflow adjacent kernel memory.

Because the MFC driver runs in kernel context, a controlled out-of-bounds write can corrupt kernel structures and yield arbitrary code execution. The attack surface includes any application or media pipeline that decodes attacker-controlled video.

Root Cause

The root cause is the absence of a bounds check before writing SEI metadata into a fixed-size buffer. The function trusts size fields embedded in the parsed NAL unit. When those fields exceed the destination capacity, the write proceeds past the buffer boundary.

Attack Vector

Exploitation requires delivering a malformed video stream to the MFC decoder. Delivery vectors include messaging applications that auto-render media, browser-based video, malicious applications invoking the codec, and remote attachments processed by media services. The CVSS vector indicates low privileges and no user interaction, consistent with reachability from sandboxed application contexts.

The vulnerability manifests during SEI NAL parsing inside the kernel MFC queue handler. See the Android Security Bulletin for technical details and patch references.

Detection Methods for CVE-2026-0147

Indicators of Compromise

  • Unexpected kernel oops or panic messages referencing mfc_core_nal_q or __mfc_core_nal_q_get_dec_metadata_sei_nal in dmesg or logcat.
  • Crashes in mediaserver, media.codec, or hardware codec HAL processes shortly after decoding untrusted video content.
  • Anomalous child process creation or privilege transitions originating from media decoding processes.

Detection Strategies

  • Monitor Android crash reports and kernel logs for repeated faults in MFC code paths, which can indicate exploitation attempts or fuzzing.
  • Inspect telemetry from mobile threat defense agents for media processes that spawn shells, load unexpected libraries, or contact unknown network endpoints.
  • Validate device patch levels against the 2026-06-01 Android security patch level across the managed fleet.

Monitoring Recommendations

  • Aggregate Android device patch level reporting in your mobile device management (MDM) or unified endpoint management (UEM) console.
  • Track media decoder process behavior on high-risk devices and alert on memory access violations.
  • Subscribe to the Android Security Bulletin feed to track new MFC-related advisories that may share root cause patterns.

How to Mitigate CVE-2026-0147

Immediate Actions Required

  • Apply the 2026-06-01 Android security patch level on all affected devices, prioritizing Pixel and OEM devices with Samsung-derived MFC kernel code.
  • Identify devices that cannot receive the patch and restrict their exposure to untrusted media sources.
  • Audit installed applications for unnecessary access to media processing intents and revoke broad media permissions.

Patch Information

Google published fixes in the June 2026 Pixel security bulletin. Device manufacturers ship the corresponding patch level 2026-06-01 or later. Refer to the Android Security Bulletin for the source patch and affected component details.

Workarounds

  • Disable automatic media preview and auto-download in messaging and email clients to reduce drive-by exposure.
  • Block untrusted video MIME types at network or mail gateways for unpatched device populations.
  • Restrict installation of applications from unverified sources via MDM policy until patches are deployed.
bash
# Verify Android security patch level on a managed device via adb
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne