CVE-2026-0160 Overview
CVE-2026-0160 is an out-of-bounds write vulnerability in the Android operating system. The flaw resides in the TextRtpPayloadDecoderNode::DecodeT140 function within TextRtpPayloadDecoderNode.cpp. A missing bounds check allows an attacker to write outside the allocated buffer when processing T.140 real-time text Real-time Transport Protocol (RTP) payloads. Successful exploitation can lead to remote code execution without additional execution privileges and without user interaction. The vulnerability is tracked under [CWE-120] (Buffer Copy without Checking Size of Input).
Critical Impact
Remote attackers can trigger memory corruption in the Android RTP text payload decoder to achieve code execution without user interaction.
Affected Products
- Google Android (per the Android Security Bulletin June 2026)
- Devices running the unpatched Android IMS/ImsMedia stack containing TextRtpPayloadDecoderNode
- Pixel devices prior to the June 2026 security patch level
Discovery Timeline
- 2026-06-16 - CVE-2026-0160 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0160
Vulnerability Analysis
The vulnerability is located in TextRtpPayloadDecoderNode::DecodeT140, the routine responsible for parsing T.140 real-time text payloads delivered over RTP. The decoder processes attacker-controlled payload data without validating the size of the input against the destination buffer. As a result, a crafted RTP packet can write past the end of the destination buffer, corrupting adjacent memory.
The Common Weakness Enumeration classifies the issue as [CWE-120], a classic buffer copy without size checking. Because the affected component is part of the IMS media handling path, the vulnerable code can be reached over the network during normal real-time text session negotiation.
Root Cause
The root cause is a missing bounds check before copying T.140 payload bytes into a fixed-size destination buffer inside DecodeT140. The decoder trusts the length field or implicit payload size derived from the RTP packet rather than validating it against the capacity of the receiving buffer. When the payload length exceeds the buffer, the write proceeds past the allocated region, producing out-of-bounds writes into heap or stack memory depending on allocation context.
Attack Vector
An attacker delivers a malformed T.140 RTP payload to a target device that processes the stream through the vulnerable decoder. The vector is network-based, requires low privileges, and needs no user interaction. Because RTP text sessions can be established through IMS signaling, an adversary positioned to send signaling and media to a target subscriber can drive execution into DecodeT140 and trigger the out-of-bounds write. Successful memory corruption can be shaped to hijack control flow and achieve remote code execution within the media handling process.
No public proof-of-concept exploit is currently listed for this CVE. Refer to the Android Security Bulletin June 2026 for vendor-supplied technical references.
Detection Methods for CVE-2026-0160
Indicators of Compromise
- Unexpected crashes or tombstones in IMS media processes referencing TextRtpPayloadDecoderNode or DecodeT140 frames in the stack trace.
- Abnormal RTP traffic patterns carrying oversized or malformed T.140 payloads to devices with active IMS sessions.
- New child processes, code execution, or outbound connections originating from the IMS media stack after RTP session activity.
Detection Strategies
- Monitor Android logcat and tombstone files for SIGSEGV or SIGABRT signals inside the ImsMedia process, especially with frames in TextRtpPayloadDecoderNode.cpp.
- Inspect RTP streams at network boundaries for T.140 payloads with declared lengths inconsistent with the underlying packet size.
- Correlate device telemetry for spikes in IMS media process restarts following inbound RTP sessions from untrusted peers.
Monitoring Recommendations
- Track Android security patch level across the fleet and flag devices below the June 2026 patch level.
- Aggregate mobile telemetry into a centralized analytics pipeline to identify repeated crashes tied to the IMS stack.
- Alert on anomalous IMS signaling and media flows originating from networks that do not normally serve enrolled subscribers.
How to Mitigate CVE-2026-0160
Immediate Actions Required
- Apply the June 2026 Android security patch level on all managed Android and Pixel devices.
- Enforce mobile device management (MDM) policies that block enrollment or network access for devices below the patched security patch level.
- Restrict exposure of IMS and real-time text services to trusted carrier networks where feasible.
Patch Information
Google addressed CVE-2026-0160 in the June 2026 Android Security Bulletin. Device manufacturers integrate the fix at security patch level 2026-06-01 or later. Refer to the Android Security Bulletin June 2026 for the source patch reference and the list of affected components. Pixel devices receive the corresponding update through the Pixel Update Bulletin for the same month.
Workarounds
- Disable real-time text (RTT) features on affected devices until patches are applied, where carrier and accessibility policy allow.
- Limit IMS service exposure to trusted Access Point Names (APNs) and carrier infrastructure to reduce reachability of the vulnerable decoder.
- Use MDM policies to require minimum Android security patch level before granting access to corporate resources.
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
