Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0154

CVE-2026-0154: Google Android Modem RCE Vulnerability

CVE-2026-0154 is a remote code execution vulnerability in Google Android modem triggered via SIP REFER requests. Attackers can exploit memory corruption to crash the modem without user interaction. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-0154 Overview

CVE-2026-0154 is a memory corruption vulnerability in the modem component of Google Android. Attackers can trigger a modem crash by sending a crafted Session Initiation Protocol (SIP) REFER request. The flaw can lead to remote code execution without requiring user interaction or additional execution privileges. The issue is classified as a buffer copy without checking size of input [CWE-120].

Critical Impact

Remote attackers can corrupt modem memory through a single SIP REFER message, enabling code execution on affected Android devices without user interaction.

Affected Products

  • Google Android (modem component)
  • Devices receiving Android Security Bulletin June 2026 patches
  • Pixel devices covered under the June 2026 Pixel Bulletin

Discovery Timeline

  • 2026-06-16 - CVE-2026-0154 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database
  • 2026-06-01 - Addressed in the Android Security Bulletin June 2026

Technical Details for CVE-2026-0154

Vulnerability Analysis

The vulnerability resides in the modem firmware that parses SIP signaling traffic. When the modem processes a SIP REFER request, an unchecked memory operation corrupts adjacent buffers. SIP REFER is used to instruct a user agent to initiate a new transaction, typically for call transfer scenarios.

Because modem firmware runs with elevated privileges relative to the application processor, memory corruption in this component can be leveraged to achieve remote code execution. Exploitation requires low privileges (PR:L) on the network path but no user interaction, allowing attackers with access to the cellular signaling channel to reach the vulnerable code path.

Root Cause

The root cause is a classic buffer copy without input size validation, mapped to [CWE-120]. The modem parser copies attacker-controlled fields from the SIP REFER message into a fixed-size buffer without verifying that the source length fits the destination. The resulting out-of-bounds write corrupts adjacent memory structures, including potential function pointers or control data used by the modem runtime.

Attack Vector

The attack vector is network-based. An attacker capable of delivering crafted SIP signaling to the target device, such as through a rogue IP Multimedia Subsystem (IMS) node, compromised carrier infrastructure, or a malicious VoLTE peer, can transmit the malformed REFER request. The modem processes the request before any user-facing application is involved, so no notification or interaction is generated on the device prior to compromise.

No public proof-of-concept or exploit code is available for CVE-2026-0154 at the time of publication. See the Android Security Bulletin June 2026 for vendor technical details.

Detection Methods for CVE-2026-0154

Indicators of Compromise

  • Unexpected modem reboots, baseband resets, or radio interface layer (RIL) crash logs correlated with incoming SIP traffic.
  • Abnormally large or malformed SIP REFER headers observed in IMS or VoLTE signaling captures.
  • Loss of cellular connectivity followed by automatic re-registration with the carrier network.

Detection Strategies

  • Inspect modem crash dumps and tombstone files on Android devices for faults originating in SIP message handlers.
  • Deploy IMS-aware network monitoring to flag SIP REFER requests with oversized Refer-To, Referred-By, or related header fields.
  • Correlate cellular signaling anomalies with mobile device management (MDM) telemetry to identify clusters of affected handsets.

Monitoring Recommendations

  • Forward Android logcat and modem diagnostic logs to a centralized logging platform for retroactive analysis.
  • Track Android patch level (ro.build.version.security_patch) across the fleet and alert on devices below the June 2026 baseline.
  • Monitor carrier-side SIP gateways for repeated REFER requests targeting individual subscribers, which may indicate exploitation attempts.

How to Mitigate CVE-2026-0154

Immediate Actions Required

  • Apply the June 2026 Android security patch level or later on all managed devices.
  • For Pixel devices, install the June 2026 Pixel update referenced in the vendor bulletin.
  • Enforce minimum patch level compliance through MDM policies and block non-compliant devices from sensitive resources.

Patch Information

Google addressed CVE-2026-0154 in the June 2026 Android Security Bulletin. Device manufacturers ship the fix in builds that report a 2026-06-01 security patch level or higher. Refer to the Android Security Bulletin June 2026 for component and build details.

Workarounds

  • Disable VoLTE or Wi-Fi Calling on high-risk devices until patches are deployed, recognizing the impact to voice services.
  • Restrict device connectivity to trusted carrier networks and avoid roaming on untrusted IMS infrastructure where feasible.
  • Apply carrier-side filtering on SIP REFER headers to drop messages with abnormal length or structure before they reach subscriber devices.
bash
# Verify Android security patch level on a managed device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne