Android SDK: 13 Kernel Networking CVEs Patched in June 2026 Bulletin
Google's June 2026 Android Security Bulletin patches 13 kernel networking CVEs spanning netfilter, VRF, tunneling, and packet-scheduling subsystems, with five bugs rated at CVSS 7.0.
Key findings
- 13 kernel networking CVEs disclosed together in the June 2026 Android Security Bulletin
- Netfilter subsystem accounts for 5 of the 13 bugs, including OOB read and info leak
- Most severe flaws (CVE-2026-53131, CVE-2026-53091, CVE-2026-52935, CVE-2026-52940, CVE-2026-52920) rated CVSS 7.0
- Bugs span netfilter, VRF, tunneling, batman-adv, TUN/TAP, and MD RAID subsystems
- No in-the-wild exploitation reported as of disclosure date
- All fixes included in the June 2026 Android security update; OEMs integrating into OTA builds
Google Android SDK: 13 Kernel Networking Flaws Patched in June 2026 Security Update
Thirteen kernel-level vulnerabilities affecting the Android SDK's networking stack were disclosed together on June 24–25, 2026, spanning netfilter, VRF, tunneling, and packet-scheduling subsystems. The batch, which includes use-after-free, out-of-bounds read, null-pointer dereference, and information-leak bugs, was addressed in the June 2026 Android Security Bulletin, with the most severe flaws rated at CVSS 7.0.
Netfilter Bugs Dominate the Batch
The netfilter subsystem accounts for the largest cluster of fixes. CVE-2026-53131 addresses a missing Ethernet MAC header check before calling eth_hdr(), which could lead to memory corruption. CVE-2026-53219 fixes a percpu counter pointer leak in x_tables that could expose kernel memory addresses to local attackers. CVE-2026-52915 rejects oversized IPv6 option lists in ip6t_hbh, preventing a potential denial-of-service condition. CVE-2026-52927 patches an out-of-bounds read in the ebtables compat_mtw_from_user function, which could be triggered by crafted netfilter rules. Finally, CVE-2026-52920 corrects strict-mode inbound policy matching in xt_policy, ensuring that firewall rules are evaluated correctly.
Tunnel and VRF Vulnerabilities
Three CVEs target tunneling and virtual routing subsystems. CVE-2026-53221 fixes incorrect tunnel matching in vti6_tnl_lookup() for IPv6 VTI interfaces, which could cause traffic to be misrouted. CVE-2026-52925 resolves a potential null-pointer dereference (NPD) when removing a port from a VRF device. CVE-2026-52935 addresses a bug in the ESP-over-TCP (espintcp) implementation where an in-progress partial send could be incorrectly reused, potentially leading to data corruption or information disclosure.
Memory Safety and Use-After-Free
CVE-2026-53248 fixes a use-after-free vulnerability in the metadata destination teardown path for Airoha Ethernet hardware. The bug could be exploited to achieve kernel memory corruption. Separately, CVE-2026-52926 clears the current gateway pointer during batman-adv teardown, preventing a dangling reference that could lead to a use-after-free condition in the mesh networking driver.
Packet Processing and Sysfs Deadlock
CVE-2026-53091 (rated Important, CVSS 7.0) addresses a missing header pull in qdisc_pkt_len_segs_init(), which could cause the kernel to operate on uninitialized packet data. CVE-2026-52940 ensures the entire vnet header is zeroed in tun_put_user(), preventing kernel memory leaks through the TUN/TAP virtual network interface. CVE-2026-53125 fixes a deadlock in the MD (multiple device) RAID subsystem when writing array_state=clear via sysfs, rated low severity but still a denial-of-service risk.
Patch Status and Mitigation
All 13 CVEs are addressed in the June 2026 Android Security Bulletin. Google has released patches for supported Android versions through the Android Common Kernel and vendor-specific kernel branches. Device manufacturers (OEMs) are expected to integrate the fixes into their monthly over-the-air (OTA) updates. Users should apply the June 2026 security update as soon as it becomes available for their device. No in-the-wild exploitation has been reported for any of these CVEs as of the disclosure date.
Why This Batch Matters
While none of these vulnerabilities carry a Critical severity rating, the density of networking-stack fixes — particularly in netfilter, which is a frequent target for privilege-escalation and sandbox-escape exploits — makes this batch significant for Android security posture. The fact that 13 kernel CVEs landed in a single bulletin window underscores the complexity of the upstream Linux networking code that Android inherits. Security teams managing Android devices in enterprise environments should prioritize the June 2026 update given the breadth of subsystems affected.