Skip to main content
CVE Vulnerability Database

CVE-2026-0161: Google Android Privilege Escalation Flaw

CVE-2026-0161 is a privilege escalation vulnerability in Google Android caused by an integer overflow in RtpSession.cpp. Attackers can exploit this remotely without user interaction. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0161 Overview

CVE-2026-0161 is an integer overflow vulnerability in the numberOfReportBlocks function of RtpSession.cpp in Google Android. The flaw enables an out-of-bounds write that can be triggered remotely without user interaction. Successful exploitation results in remote escalation of privilege without requiring additional execution privileges. The weakness is classified under CWE-190: Integer Overflow or Wraparound. Google addressed the issue in the Android Security Bulletin for June 2026.

Critical Impact

Remote attackers can trigger memory corruption in the Real-time Transport Protocol (RTP) session handler to escalate privileges on affected Android devices without user interaction.

Affected Products

  • Google Android (Pixel)
  • Android components processing RTP/RTCP traffic via RtpSession.cpp
  • Devices covered by the June 2026 Pixel security bulletin

Discovery Timeline

  • 2026-06-01 - Google releases the Pixel security bulletin addressing the issue
  • 2026-06-16 - CVE-2026-0161 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD

Technical Details for CVE-2026-0161

Vulnerability Analysis

The vulnerability resides in the numberOfReportBlocks logic within RtpSession.cpp, the component responsible for parsing Real-time Transport Control Protocol (RTCP) report blocks. An attacker-supplied value influences a size calculation that overflows the bounds of the integer type. The overflowed value is subsequently used to size or index a memory operation, producing an out-of-bounds write.

The exposure category is network-reachable because RTP and RTCP sessions accept data from remote peers during media exchanges. The flaw allows escalation of privilege from a low-privileged context to a higher-privileged Android service. No user interaction is required, which removes a key mitigation typically present in media-handling bugs. The Exploit Prediction Scoring System (EPSS) currently lists this issue at the 13.677 percentile.

Root Cause

The root cause is improper validation of arithmetic on the numberOfReportBlocks field used during RTCP packet handling. When the field is crafted to force the multiplication or addition used in buffer sizing to wrap, the resulting allocation or index becomes smaller or larger than intended. Subsequent writes then land outside the allocated buffer, corrupting adjacent memory belonging to the RTP session structures.

Attack Vector

The attack vector is Network. An adjacent peer in an active RTP session, or an attacker capable of injecting RTCP packets into a session reachable by the target, can craft a malformed report block count to trigger the overflow. Because privileges required are low and user interaction is none, the vulnerability is exploitable against background media processing paths that handle untrusted RTCP traffic. Consult the Android Security Bulletin for affected component details.

Detection Methods for CVE-2026-0161

Indicators of Compromise

  • Unexpected crashes or tombstone entries referencing RtpSession.cpp or RTCP parsing frames
  • Abnormal RTCP packets containing unusually large or malformed report block counts
  • Privilege transitions in media-handling processes such as mediaserver or related telephony services without a corresponding legitimate trigger

Detection Strategies

  • Monitor Android logcat and dropbox artifacts for native crashes in RTP/RTCP code paths
  • Inspect network captures of SIP/VoIP and WebRTC sessions for malformed RTCP Sender Report or Receiver Report packets
  • Apply behavioral analytics to detect privilege escalation patterns originating from media subsystems on mobile endpoints

Monitoring Recommendations

  • Aggregate mobile crash telemetry centrally and alert on repeated faults in RTP handling components
  • Track Android patch level deployment across the fleet and flag devices below the June 2026 security patch level
  • Correlate VoIP gateway logs with endpoint crashes to identify potential exploitation attempts in real time

How to Mitigate CVE-2026-0161

Immediate Actions Required

  • Install the June 2026 Android security patch level or later on all affected Pixel and Android devices
  • Restrict exposure of RTP/RTCP endpoints to trusted peers using session border controllers or VoIP gateways
  • Audit enterprise mobile management (EMM/MDM) policies to enforce timely security update installation

Patch Information

Google published the fix in the Android Security Bulletin Pixel Update for June 2026. Devices must be updated to the June 2026 security patch level. Carrier and OEM rollout schedules vary, so verify the applied patch level under device settings after the update completes.

Workarounds

  • Disable or limit VoIP and video calling features that rely on the affected RTP stack until patches are applied
  • Use a session border controller or VPN to filter RTCP packets from untrusted networks
  • Apply network segmentation to prevent untrusted peers from reaching device RTP listeners
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output should be 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.