Skip to main content
CVE Vulnerability Database

CVE-2026-0149: Google Android RCE Vulnerability

CVE-2026-0149 is a remote code execution vulnerability in Google Android caused by a heap buffer overflow in RtpSession::rtpSendRtcpPacket. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-0149 Overview

CVE-2026-0149 is a heap buffer overflow vulnerability in the Android RtpSession::rtpSendRtcpPacket function. The flaw enables an out-of-bounds (OOB) write that can lead to remote code execution without requiring user interaction. The issue is tracked under CWE-122: Heap-based Buffer Overflow and affects Google Android. Google published the patch in the Pixel Security Bulletin for June 2026.

Critical Impact

Attackers with low privileges can trigger a network-reachable heap overflow inside the Real-time Transport Protocol (RTP) session handler, achieving remote code execution without user interaction.

Affected Products

  • Google Android (see vendor bulletin for affected build levels)
  • Google Pixel devices addressed by the June 2026 Pixel Update
  • Android platform components implementing RtpSession

Discovery Timeline

  • 2026-06-16 - CVE-2026-0149 published to the National Vulnerability Database (NVD)
  • 2026-06-01 - Google releases fix in the Pixel Security Bulletin
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0149

Vulnerability Analysis

The vulnerability resides in RtpSession::rtpSendRtcpPacket, the routine responsible for constructing and transmitting RTP Control Protocol (RTCP) packets within an Android RTP session. The function performs an OOB write on a heap-allocated buffer, corrupting adjacent heap metadata or object pointers. Because the affected path handles network-derived RTCP data, an attacker can shape the input to overwrite controlled bytes beyond the allocation boundary.

Successful exploitation grants attacker-controlled execution at the privilege level of the affected media component. The vulnerability requires no user interaction and no elevated privileges beyond those typically held by the calling process. RTP and RTCP traffic frequently traverses telephony and Voice over IP (VoIP) stacks, exposing the bug to remote triggers.

Root Cause

The root cause is improper bounds validation when composing or copying RTCP packet fields into a heap buffer. The function writes past the end of the allocation, classifying the flaw as [CWE-122]. Insufficient length checks against the destination buffer allow malformed or oversized RTCP fields to corrupt heap state.

Attack Vector

The attack vector is network based. An attacker delivers a crafted RTCP packet or initiates a manipulated RTP session that drives rtpSendRtcpPacket into the vulnerable code path. With low privileges and no user interaction, the attacker corrupts the heap to hijack control flow. Refer to the Android Security Bulletin for component-level details.

Detection Methods for CVE-2026-0149

Indicators of Compromise

  • Unexpected crashes or tombstones referencing RtpSession::rtpSendRtcpPacket or the surrounding RTP/RTCP stack
  • Anomalous outbound or inbound RTCP packets with malformed length fields or oversized report blocks
  • Native heap corruption signatures in logcat output from telephony or media processes

Detection Strategies

  • Monitor Android device logs for repeated SIGSEGV or SIGABRT signals in processes handling RTP sessions
  • Inspect network captures for RTCP packets violating RFC 3550 length and field constraints
  • Correlate telephony service restarts with inbound session initiations from untrusted peers

Monitoring Recommendations

  • Track Android patch level (ro.build.version.security_patch) across the fleet and flag devices below the June 2026 patch level
  • Alert on RTCP traffic from non-allowlisted peers reaching managed devices
  • Forward mobile EDR telemetry on native crashes in media and telephony components for review

How to Mitigate CVE-2026-0149

Immediate Actions Required

  • Apply the June 2026 Android security patch level on all Google Pixel and supported Android devices
  • Audit enterprise mobile fleets for devices that cannot receive the update and prioritize replacement or isolation
  • Restrict RTP and RTCP traffic to trusted peers via mobile device management (MDM) network policies

Patch Information

Google addressed CVE-2026-0149 in the Pixel Security Bulletin dated 2026-06-01. Devices must report a security patch level of 2026-06-01 or later to receive the fix. Original equipment manufacturers (OEMs) ship the corresponding patch through their own update channels.

Workarounds

  • Disable or restrict VoIP and video calling applications that exercise the platform RTP stack until devices are patched
  • Block untrusted RTCP traffic at the network edge for managed mobile devices
  • Enforce MDM policies requiring the June 2026 or later security patch level before granting access to corporate resources
bash
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.