CVE-2026-0156 Overview
CVE-2026-0156 is a memory safety vulnerability in the checkSsrcCollisionOnRcv function of RtpSession.cpp, a component of the Android Real-time Transport Protocol (RTP) stack. The flaw stems from a missing null check that can be triggered when processing incoming RTP traffic. Exploitation can result in remote denial of service against the affected device. The vulnerability requires no user interaction and no additional execution privileges, making it reachable by any attacker capable of delivering crafted RTP packets to the target. Android Security Bulletin coverage was published in June 2026.
Critical Impact
Remote attackers can crash the RTP session handler on affected Android devices by sending crafted media packets, with no user interaction required.
Affected Products
- Android (RTP stack — RtpSession.cpp)
- Devices receiving Android Security Bulletin June 2026 updates
- Pixel devices covered by the June 2026 Pixel Update Bulletin
Discovery Timeline
- 2026-06-16 - CVE-2026-0156 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0156
Vulnerability Analysis
The defect resides in checkSsrcCollisionOnRcv within RtpSession.cpp. This function is invoked on receipt of RTP packets to detect Synchronization Source (SSRC) identifier collisions between participants in a media session. The implementation dereferences a pointer that can be null under attacker-influenced conditions, producing a memory safety fault. The result is a process crash that terminates the media session and any dependent services. Because the function executes during inbound packet processing, an attacker only needs to deliver a crafted RTP datagram to a reachable endpoint to trigger the condition.
Root Cause
The root cause is a missing null pointer validation prior to dereference inside checkSsrcCollisionOnRcv. When the SSRC collision check is reached with an unexpected session or source state, the absent guard causes the code path to operate on a null reference. This is classified as a null pointer dereference leading to denial of service.
Attack Vector
An attacker delivers a crafted RTP packet stream to an Android device or service that processes media through the vulnerable RTP session handler. No authentication, privileges, or user interaction are required. The vulnerability does not yield code execution; impact is limited to availability of the affected component or process. Repeated triggering can be used to sustain a denial of service condition against media services on the device.
No public proof-of-concept code has been released. For component-level technical details, see the Android Security Bulletin June 2026.
Detection Methods for CVE-2026-0156
Indicators of Compromise
- Unexpected crashes or restarts of Android media or telephony processes that handle RTP traffic.
- Crash logs referencing RtpSession.cpp or checkSsrcCollisionOnRcv in logcat, tombstones, or device bug reports.
- Inbound RTP traffic from untrusted sources containing anomalous or colliding SSRC identifier values.
Detection Strategies
- Inspect Android tombstone and dropbox artifacts for SIGSEGV faults attributed to the RTP stack.
- Correlate media service restarts with inbound UDP/RTP flows from external networks to identify triggering traffic.
- Use network sensors to flag RTP streams with malformed headers or repeated SSRC collisions targeting mobile endpoints.
Monitoring Recommendations
- Forward Android device crash telemetry and mobile EDR signals to a central analytics platform for correlation across the fleet.
- Alert on repeated crash-loop behavior in media or VoIP applications immediately following inbound RTP sessions.
- Track patch level (ro.build.version.security_patch) across managed devices to identify endpoints still missing the June 2026 update.
How to Mitigate CVE-2026-0156
Immediate Actions Required
- Apply the June 2026 Android Security Bulletin patch level on all managed devices as soon as it is available from the device vendor.
- Inventory devices and applications that expose RTP listeners and prioritize them for patching.
- Restrict inbound RTP traffic at the network perimeter to known signaling peers and SBCs where feasible.
Patch Information
The fix is delivered through the Android Open Source Project and downstream vendor updates referenced in the Android Security Bulletin June 2026. Devices must report a security patch level of 2026-06-01 or later to incorporate the corrected checkSsrcCollisionOnRcv implementation.
Workarounds
- Disable or restrict VoIP and RTP-based applications on devices that cannot receive the June 2026 patch immediately.
- Enforce session border controller (SBC) policies that validate SSRC values and drop malformed RTP packets before they reach mobile endpoints.
- Limit exposure of mobile devices to untrusted networks where attacker-controlled RTP traffic could be delivered directly.
# Verify Android security patch level on a managed device via ADB
adb shell getprop ro.build.version.security_patch
# Expected output after remediation: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

