Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0165

CVE-2026-0165: Google Android Information Disclosure Bug

CVE-2026-0165 is an information disclosure vulnerability in Google Android's RTCP packet decoder that allows remote attackers to read sensitive data. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-0165 Overview

CVE-2026-0165 is an out-of-bounds read vulnerability in the Real-time Transport Control Protocol (RTCP) packet decoder on Google Android. Several decoder functions fail to perform proper bounds checking before reading from memory buffers. An attacker who can deliver a crafted RTCP packet to a target device can trigger the read past the intended buffer boundary. Successful exploitation leads to remote information disclosure without requiring elevated execution privileges. User interaction is required to complete the attack chain. The flaw is tracked under CWE-120 and was published in the Android Security Bulletin for June 2026.

Critical Impact

Attackers can disclose sensitive memory contents from Android devices by sending malformed RTCP packets that the decoder processes without validating buffer length.

Affected Products

  • Google Android (per Android Security Bulletin June 2026)
  • Pixel devices covered by the June 2026 Pixel Update Bulletin
  • Android components processing RTCP streams in real-time communication stacks

Discovery Timeline

  • 2026-06-16 - CVE-2026-0165 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database
  • 2026-06-01 - Addressed in the Android Security Bulletin June 2026

Technical Details for CVE-2026-0165

Vulnerability Analysis

The vulnerability resides in multiple functions of the Android RTCP packet decoder. RTCP is the control channel companion to RTP and carries statistics, sender reports, and feedback messages for real-time media sessions. The affected decoder routines parse variable-length RTCP report blocks and extension fields without verifying that the declared length stays within the bounds of the received packet buffer. When the decoder advances its read pointer based on attacker-controlled length fields, it can read adjacent process memory and copy that data into structures returned to higher-level components. The result is a memory information disclosure that exposes data outside the intended packet payload. The flaw maps to CWE-120, Buffer Copy without Checking Size of Input.

Root Cause

The root cause is missing input validation in the RTCP decoder. The affected functions trust length and count fields embedded in incoming packets rather than comparing them against the actual buffer size. Without this bounds check, the parser dereferences memory beyond the allocated region during normal decode operations.

Attack Vector

The attack vector is network-based. An attacker delivers a crafted RTCP packet to a target Android device participating in a real-time communication session. User interaction is required, which is consistent with the victim joining or accepting a call or media session that establishes the RTCP control channel. No additional execution privileges are needed beyond those granted to the receiving media application. Disclosed memory may include session state, decoder internals, or other process data useful for further attacks.

No public proof-of-concept or exploit code is currently associated with CVE-2026-0165. See the Android Security Bulletin June 2026 for vendor-provided technical context.

Detection Methods for CVE-2026-0165

Indicators of Compromise

  • Inbound RTCP packets containing report block counts or extension lengths that exceed the actual UDP payload size
  • Media applications generating repeated decoder warnings or crashes during RTP/RTCP session setup
  • Unusual RTCP traffic from untrusted peers that does not correspond to an established signaling session

Detection Strategies

  • Inspect RTCP traffic at network sensors and validate that declared length fields stay within packet boundaries
  • Correlate Android application telemetry with network capture data for sessions terminating in decoder errors
  • Track device patch level against the Android Security Bulletin June 2026 baseline to identify exposed endpoints

Monitoring Recommendations

  • Monitor mobile device management (MDM) inventories for handsets running pre-June 2026 security patch levels
  • Log and review RTCP-bearing flows from external networks into enterprise voice and video infrastructure
  • Alert on repeated media session failures or crashes in communication apps that handle RTP/RTCP

How to Mitigate CVE-2026-0165

Immediate Actions Required

  • Apply the June 2026 Android security patch level to all managed Android and Pixel devices
  • Enforce minimum patch level policies through MDM to block non-compliant devices from corporate resources
  • Restrict RTCP-capable applications to vetted communication platforms that authenticate peers before media exchange

Patch Information

Google addressed CVE-2026-0165 in the June 2026 Android Security Bulletin. Device manufacturers ship the corresponding fix through their respective security patch level updates. Refer to the Android Security Bulletin June 2026 for the authoritative list of fixed builds and Pixel-specific guidance.

Workarounds

  • Avoid accepting media sessions from unknown or untrusted callers until devices are patched
  • Route real-time communications through session border controllers that validate RTCP packet structure
  • Disable optional RTCP extensions in enterprise communication clients where the configuration permits

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne