CVE-2026-0149 Overview
CVE-2026-0149 is a heap buffer overflow vulnerability in the Android RtpSession::rtpSendRtcpPacket function. The flaw enables an out-of-bounds (OOB) write that can lead to remote code execution without requiring user interaction. The issue is tracked under CWE-122: Heap-based Buffer Overflow and affects Google Android. Google published the patch in the Pixel Security Bulletin for June 2026.
Critical Impact
Attackers with low privileges can trigger a network-reachable heap overflow inside the Real-time Transport Protocol (RTP) session handler, achieving remote code execution without user interaction.
Affected Products
- Google Android (see vendor bulletin for affected build levels)
- Google Pixel devices addressed by the June 2026 Pixel Update
- Android platform components implementing RtpSession
Discovery Timeline
- 2026-06-16 - CVE-2026-0149 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Google releases fix in the Pixel Security Bulletin
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0149
Vulnerability Analysis
The vulnerability resides in RtpSession::rtpSendRtcpPacket, the routine responsible for constructing and transmitting RTP Control Protocol (RTCP) packets within an Android RTP session. The function performs an OOB write on a heap-allocated buffer, corrupting adjacent heap metadata or object pointers. Because the affected path handles network-derived RTCP data, an attacker can shape the input to overwrite controlled bytes beyond the allocation boundary.
Successful exploitation grants attacker-controlled execution at the privilege level of the affected media component. The vulnerability requires no user interaction and no elevated privileges beyond those typically held by the calling process. RTP and RTCP traffic frequently traverses telephony and Voice over IP (VoIP) stacks, exposing the bug to remote triggers.
Root Cause
The root cause is improper bounds validation when composing or copying RTCP packet fields into a heap buffer. The function writes past the end of the allocation, classifying the flaw as [CWE-122]. Insufficient length checks against the destination buffer allow malformed or oversized RTCP fields to corrupt heap state.
Attack Vector
The attack vector is network based. An attacker delivers a crafted RTCP packet or initiates a manipulated RTP session that drives rtpSendRtcpPacket into the vulnerable code path. With low privileges and no user interaction, the attacker corrupts the heap to hijack control flow. Refer to the Android Security Bulletin for component-level details.
Detection Methods for CVE-2026-0149
Indicators of Compromise
- Unexpected crashes or tombstones referencing RtpSession::rtpSendRtcpPacket or the surrounding RTP/RTCP stack
- Anomalous outbound or inbound RTCP packets with malformed length fields or oversized report blocks
- Native heap corruption signatures in logcat output from telephony or media processes
Detection Strategies
- Monitor Android device logs for repeated SIGSEGV or SIGABRT signals in processes handling RTP sessions
- Inspect network captures for RTCP packets violating RFC 3550 length and field constraints
- Correlate telephony service restarts with inbound session initiations from untrusted peers
Monitoring Recommendations
- Track Android patch level (ro.build.version.security_patch) across the fleet and flag devices below the June 2026 patch level
- Alert on RTCP traffic from non-allowlisted peers reaching managed devices
- Forward mobile EDR telemetry on native crashes in media and telephony components for review
How to Mitigate CVE-2026-0149
Immediate Actions Required
- Apply the June 2026 Android security patch level on all Google Pixel and supported Android devices
- Audit enterprise mobile fleets for devices that cannot receive the update and prioritize replacement or isolation
- Restrict RTP and RTCP traffic to trusted peers via mobile device management (MDM) network policies
Patch Information
Google addressed CVE-2026-0149 in the Pixel Security Bulletin dated 2026-06-01. Devices must report a security patch level of 2026-06-01 or later to receive the fix. Original equipment manufacturers (OEMs) ship the corresponding patch through their own update channels.
Workarounds
- Disable or restrict VoIP and video calling applications that exercise the platform RTP stack until devices are patched
- Block untrusted RTCP traffic at the network edge for managed mobile devices
- Enforce MDM policies requiring the June 2026 or later security patch level before granting access to corporate resources
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

