Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0162

CVE-2026-0162: Google Android RCE Vulnerability

CVE-2026-0162 is a remote code execution vulnerability in Google Android caused by memory corruption in ParsePayloads. Attackers can exploit this flaw without user interaction. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0162 Overview

CVE-2026-0162 is a type confusion vulnerability in the ParsePayloads function of AudioSdpParser.cpp in Google Android. The flaw causes memory corruption when the parser processes Session Description Protocol (SDP) audio payloads. Successful exploitation can lead to remote code execution within the affected process context. No user interaction is required to trigger the vulnerability, and the attack vector is network-based. The issue is tracked under [CWE-843: Access of Resource Using Incompatible Type (Type Confusion)] and is addressed in the Android Security Bulletin June 2026.

Critical Impact

Attackers with low privileges can achieve remote code execution on affected Android devices without any user interaction.

Affected Products

  • Google Android (see vendor bulletin for affected versions)
  • Pixel devices listed in the June 2026 Android Security Bulletin
  • Android devices using the affected AudioSdpParser component

Discovery Timeline

  • 2026-06-16 - CVE-2026-0162 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • 2026-06-01 - Patch released in Android Security Bulletin June 2026

Technical Details for CVE-2026-0162

Vulnerability Analysis

The vulnerability resides in the ParsePayloads routine of AudioSdpParser.cpp, a component responsible for parsing audio payload descriptors in SDP messages. SDP is used during the negotiation of real-time audio sessions, including Voice over IP (VoIP) and Voice over LTE (VoLTE) call setup. The parser treats an object or payload field as a type incompatible with its actual type, producing memory corruption when the parser dereferences or operates on the mistyped data.

Because SDP negotiation occurs early in the call signaling path, an attacker who can deliver crafted signaling messages to the device can reach the vulnerable code without prompting the user. The result is a memory corruption primitive that can be steered toward arbitrary code execution within the media or telephony process.

Root Cause

The root cause is a [CWE-843] type confusion in payload parsing. The code paths in ParsePayloads do not enforce strict type validation before interpreting payload structures derived from attacker-controlled SDP input. When an unexpected payload type is supplied, the parser operates on memory under one type assumption while the underlying bytes correspond to a different type, producing exploitable memory corruption.

Attack Vector

The vulnerability is reachable over the network. A remote attacker with low privileges can deliver crafted SDP audio payloads through the signaling channels consumed by the affected parser. Exploitation does not require user interaction, which removes the typical click-or-open barrier seen in mobile RCE chains. The technical details of the parsing flow are described in the Android Security Bulletin June 2026.

No public proof-of-concept code has been released, and no exploit has been confirmed in the wild at the time of publication.

Detection Methods for CVE-2026-0162

Indicators of Compromise

  • Unexpected crashes or restarts of telephony or media-related processes on affected Android devices.
  • Abnormal SDP messages containing malformed or unexpected audio payload type descriptors observed in network traffic.
  • Anomalous outbound connections originating from telephony or media services following inbound SDP traffic.

Detection Strategies

  • Monitor mobile device management (MDM) and Android security logs for repeated crashes in media or VoIP components.
  • Inspect SIP/SDP traffic at carrier or enterprise boundaries for malformed payload descriptors that deviate from RFC-compliant structures.
  • Correlate device-side process crashes with inbound signaling traffic to identify potential exploitation attempts.

Monitoring Recommendations

  • Enforce timely ingestion of Android device telemetry, including crash reports, into the SIEM or data lake used by the security team.
  • Track patch level compliance against the June 2026 Android Security Bulletin across the mobile fleet.
  • Alert on new or unusual processes spawned by telephony or media services on managed Android devices.

How to Mitigate CVE-2026-0162

Immediate Actions Required

  • Apply the Android security patch level dated 2026-06-01 or later as soon as it is available from the device vendor or carrier.
  • Prioritize patching for devices that handle VoIP, VoLTE, or other SDP-based audio signaling.
  • Restrict exposure of vulnerable devices to untrusted SIP/SDP traffic where feasible, including through carrier-side filtering.

Patch Information

Google addressed CVE-2026-0162 in the Android Security Bulletin June 2026. Device manufacturers integrate the fix into their builds with the 2026-06-01 security patch level. Verify the patch level on each device through Settings or MDM reporting and confirm that it meets or exceeds 2026-06-01.

Workarounds

  • No vendor-supplied workaround is documented; applying the security patch is the supported remediation.
  • Reduce attack surface by disabling unused VoIP or VoLTE features on devices that do not require them, where policy allows.
  • Limit acceptance of SDP signaling to trusted carriers or enterprise SBCs (Session Border Controllers) where possible.
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne