CVE-2026-0161 Overview
CVE-2026-0161 is an integer overflow vulnerability in the numberOfReportBlocks function of RtpSession.cpp in Google Android. The flaw enables an out-of-bounds write that can be triggered remotely without user interaction. Successful exploitation results in remote escalation of privilege without requiring additional execution privileges. The weakness is classified under CWE-190: Integer Overflow or Wraparound. Google addressed the issue in the Android Security Bulletin for June 2026.
Critical Impact
Remote attackers can trigger memory corruption in the Real-time Transport Protocol (RTP) session handler to escalate privileges on affected Android devices without user interaction.
Affected Products
- Google Android (Pixel)
- Android components processing RTP/RTCP traffic via RtpSession.cpp
- Devices covered by the June 2026 Pixel security bulletin
Discovery Timeline
- 2026-06-01 - Google releases the Pixel security bulletin addressing the issue
- 2026-06-16 - CVE-2026-0161 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD
Technical Details for CVE-2026-0161
Vulnerability Analysis
The vulnerability resides in the numberOfReportBlocks logic within RtpSession.cpp, the component responsible for parsing Real-time Transport Control Protocol (RTCP) report blocks. An attacker-supplied value influences a size calculation that overflows the bounds of the integer type. The overflowed value is subsequently used to size or index a memory operation, producing an out-of-bounds write.
The exposure category is network-reachable because RTP and RTCP sessions accept data from remote peers during media exchanges. The flaw allows escalation of privilege from a low-privileged context to a higher-privileged Android service. No user interaction is required, which removes a key mitigation typically present in media-handling bugs. The Exploit Prediction Scoring System (EPSS) currently lists this issue at the 13.677 percentile.
Root Cause
The root cause is improper validation of arithmetic on the numberOfReportBlocks field used during RTCP packet handling. When the field is crafted to force the multiplication or addition used in buffer sizing to wrap, the resulting allocation or index becomes smaller or larger than intended. Subsequent writes then land outside the allocated buffer, corrupting adjacent memory belonging to the RTP session structures.
Attack Vector
The attack vector is Network. An adjacent peer in an active RTP session, or an attacker capable of injecting RTCP packets into a session reachable by the target, can craft a malformed report block count to trigger the overflow. Because privileges required are low and user interaction is none, the vulnerability is exploitable against background media processing paths that handle untrusted RTCP traffic. Consult the Android Security Bulletin for affected component details.
Detection Methods for CVE-2026-0161
Indicators of Compromise
- Unexpected crashes or tombstone entries referencing RtpSession.cpp or RTCP parsing frames
- Abnormal RTCP packets containing unusually large or malformed report block counts
- Privilege transitions in media-handling processes such as mediaserver or related telephony services without a corresponding legitimate trigger
Detection Strategies
- Monitor Android logcat and dropbox artifacts for native crashes in RTP/RTCP code paths
- Inspect network captures of SIP/VoIP and WebRTC sessions for malformed RTCP Sender Report or Receiver Report packets
- Apply behavioral analytics to detect privilege escalation patterns originating from media subsystems on mobile endpoints
Monitoring Recommendations
- Aggregate mobile crash telemetry centrally and alert on repeated faults in RTP handling components
- Track Android patch level deployment across the fleet and flag devices below the June 2026 security patch level
- Correlate VoIP gateway logs with endpoint crashes to identify potential exploitation attempts in real time
How to Mitigate CVE-2026-0161
Immediate Actions Required
- Install the June 2026 Android security patch level or later on all affected Pixel and Android devices
- Restrict exposure of RTP/RTCP endpoints to trusted peers using session border controllers or VoIP gateways
- Audit enterprise mobile management (EMM/MDM) policies to enforce timely security update installation
Patch Information
Google published the fix in the Android Security Bulletin Pixel Update for June 2026. Devices must be updated to the June 2026 security patch level. Carrier and OEM rollout schedules vary, so verify the applied patch level under device settings after the update completes.
Workarounds
- Disable or limit VoIP and video calling features that rely on the affected RTP stack until patches are applied
- Use a session border controller or VPN to filter RTCP packets from untrusted networks
- Apply network segmentation to prevent untrusted peers from reaching device RTP listeners
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output should be 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

