Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0157

CVE-2026-0157: Google Android Information Disclosure Flaw

CVE-2026-0157 is an information disclosure vulnerability in Google Android caused by an out-of-bounds read in RtcpHeader::decodeRtcpHeader. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-0157 Overview

CVE-2026-0157 is an out-of-bounds (OOB) read vulnerability in Android's RtcpHeader::decodeRtcpHeader function. The flaw stems from a missing bounds check while parsing Real-time Transport Control Protocol (RTCP) header fields. An attacker can trigger the condition remotely without user interaction, leading to information disclosure of adjacent process memory. Exploitation requires low-level privileges on the device and does not grant additional execution capability. Google addressed the issue in the June 2026 Android Security Bulletin.

Critical Impact

Remote attackers can read out-of-bounds memory from the RTCP parser, exposing potentially sensitive process data without user interaction.

Affected Products

  • Google Android (see Android Security Bulletin June 2026 for impacted versions)
  • Devices using the affected Android media/RTCP stack
  • Pixel devices receiving the June 2026 security patch level

Discovery Timeline

  • 2026-06-16 - CVE-2026-0157 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0157

Vulnerability Analysis

The vulnerability resides in RtcpHeader::decodeRtcpHeader, the routine responsible for parsing incoming RTCP packet headers. The function reads header fields from a network-supplied buffer without first verifying that the buffer contains enough bytes to satisfy the declared field offsets. When a crafted RTCP packet arrives with truncated or malformed length fields, the decoder reads past the end of the allocated buffer. This results in memory contents from adjacent regions being incorporated into parsed state, where they may then be surfaced to an attacker. The weakness is categorized as a buffer copy without checking the size of input [CWE-120]. Because RTCP is processed during real-time media sessions, the parser executes automatically on packet arrival, removing the need for user interaction.

Root Cause

The root cause is the absence of a length validation step before dereferencing offsets inside the RTCP header structure. The decoder trusts attacker-controlled length and count fields and indexes into the input buffer using those values directly.

Attack Vector

An attacker positioned to deliver RTCP traffic to the target device, typically through an active or attacker-influenced real-time media session, sends a malformed RTCP packet. The decoder processes the header and returns leaked memory through subsequent media plane responses or session state. No user interaction is required.

No verified proof-of-concept code is publicly available. Refer to the Android Security Bulletin June 2026 for additional technical context.

Detection Methods for CVE-2026-0157

Indicators of Compromise

  • Malformed RTCP packets containing inconsistent length, count, or padding fields directed at the device's media stack
  • Unexpected crashes or memory reads attributable to the RtcpHeader::decodeRtcpHeader code path in tombstone logs
  • Anomalous RTCP traffic patterns associated with VoIP or WebRTC sessions originating from untrusted peers

Detection Strategies

  • Inspect network telemetry for RTCP packets whose declared header length exceeds the actual payload size
  • Correlate Android tombstone or logcat entries referencing RTCP or media framework components with active session metadata
  • Monitor mobile endpoints for the installed Android security patch level and flag devices below the June 1, 2026 patch level

Monitoring Recommendations

  • Aggregate mobile device patch level data into a central data lake and alert on devices missing the June 2026 update
  • Enable network-layer inspection of SIP, WebRTC, and VoIP signaling channels to identify malformed RTCP exchanges
  • Track repeated media session failures from the same remote peer as a possible probing indicator

How to Mitigate CVE-2026-0157

Immediate Actions Required

  • Apply the June 2026 Android security patch level to all managed Android devices
  • Restrict installation and execution of applications that initiate RTCP sessions with untrusted endpoints
  • Enforce mobile device management (MDM) policies that block devices below the patched security patch level from accessing sensitive enterprise resources

Patch Information

Google published fixes in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later include the corrected bounds check in RtcpHeader::decodeRtcpHeader. Pixel devices receive the patch through the corresponding Pixel update bulletin. Original equipment manufacturers (OEMs) distribute the fix on their own schedules.

Workarounds

  • Disable or limit applications that accept inbound RTCP traffic from arbitrary networks until the patch is applied
  • Route real-time media sessions through trusted session border controllers that validate RTCP framing
  • Segment mobile devices from untrusted Wi-Fi and cellular peers when handling sensitive media communications

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne