Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0155

CVE-2026-0155: Google Android Information Disclosure Flaw

CVE-2026-0155 is an information disclosure vulnerability in Google Android caused by an out-of-bounds read in ImsMediaBitReader. Attackers can exploit this remotely without user interaction to access sensitive data.

Published:

CVE-2026-0155 Overview

CVE-2026-0155 is an out-of-bounds read vulnerability in Google Android. The flaw resides in the ImsMediaBitReader::ReadByteBuffer function, which lacks a proper bounds check before reading from a byte buffer. An attacker can trigger the condition to disclose adjacent memory contents over the network. Exploitation requires no user interaction and no additional execution privileges beyond the low privileges already required by the calling context. The issue is tracked under CWE-120 and is addressed in the June 2026 Android security bulletin.

Critical Impact

Remote information disclosure through out-of-bounds memory reads in the IMS media stack, exploitable without user interaction.

Affected Products

  • Google Android (IMS media component)
  • Devices receiving the Android June 2026 security patch level
  • Google Pixel devices per the June 2026 Pixel bulletin

Discovery Timeline

  • 2026-06-16 - CVE-2026-0155 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database
  • June 2026 - Google releases fix in the Android Security Bulletin June 2026

Technical Details for CVE-2026-0155

Vulnerability Analysis

The vulnerability exists inside ImsMediaBitReader::ReadByteBuffer, a helper used by the Android IP Multimedia Subsystem (IMS) media stack to parse byte-aligned data from a bit buffer. The function reads a caller-specified number of bytes from an internal buffer without validating that the requested read range stays within buffer boundaries. When a crafted media payload requests more bytes than the buffer holds, the reader copies adjacent process memory into the returned buffer. The leaked bytes can be returned to the network peer through subsequent IMS media processing, producing a remote information disclosure primitive.

Root Cause

The root cause is a missing bounds check on the requested read length relative to the current buffer position and total buffer size. The condition falls under [CWE-120], buffer copy without checking size of input. Trust in attacker-controlled length fields parsed from IMS media frames allows the reader to walk past the end of the allocation.

Attack Vector

An attacker delivers a malformed IMS media frame to a targeted device. The IMS media stack invokes ReadByteBuffer with an attacker-influenced length, and the out-of-bounds read returns uninitialized or adjacent heap data. The exposure is confidentiality-only and does not affect integrity or availability of the device. No user interaction is required, but the calling context must hold low-level privileges within the IMS service.

No public proof-of-concept code is available for CVE-2026-0155. Refer to the Android Security Bulletin June 2026 for component-level patch references.

Detection Methods for CVE-2026-0155

Indicators of Compromise

  • Anomalous IMS signaling or media frames carrying oversized length fields directed at the device IMS stack
  • Unexpected crashes or memory-sanitizer warnings originating from the libimsmedia component
  • Outbound IMS media responses containing unusually long or non-conforming payloads following a malformed inbound frame

Detection Strategies

  • Inspect Android security patch level on managed devices and flag any device below the June 2026 patch level
  • Correlate carrier IMS logs for malformed Real-time Transport Protocol (RTP) or Session Initiation Protocol (SIP) media payloads targeting subscribers
  • Hunt for repeated parser exceptions in logcat traces tied to the IMS media component

Monitoring Recommendations

  • Track the Android security patch level (ro.build.version.security_patch) across the device fleet through Mobile Device Management (MDM)
  • Alert on devices that fail to advance to the June 2026 patch level within the defined remediation window
  • Monitor mobile threat defense telemetry for abnormal IMS service behavior or repeated media stack crashes

How to Mitigate CVE-2026-0155

Immediate Actions Required

  • Apply the Android security patch level dated 2026-06-01 or later on all affected devices
  • For Pixel devices, install the June 2026 Pixel update referenced in the Pixel bulletin
  • Push the update through enterprise MDM and enforce minimum patch level policies for corporate access

Patch Information

Google published the fix in the Android Security Bulletin June 2026. Device manufacturers and carriers distribute the patch as part of the 2026-06-01 security patch level. Confirm that downstream OEM builds incorporate the corrected ImsMediaBitReader::ReadByteBuffer bounds check before deploying to production fleets.

Workarounds

  • No vendor-supplied workaround exists; patching is the supported remediation
  • Restrict use of IMS services such as Voice over LTE (VoLTE) and Voice over Wi-Fi on unpatched devices where carrier policy allows
  • Limit exposure of unpatched devices to untrusted carrier or roaming networks until updates are applied
bash
# Verify current Android security patch level on a device
adb shell getprop ro.build.version.security_patch
# Expected output should be 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne