CVE-2026-0129

Vulnerability

In RtcpByePacket::decodeByePacket on Pixel devices, a missing bounds check allows an attacker to perform an out-of-bounds read. This vulnerability affects devices running Android kernel components and is addressed in the June 2026 Pixel Update Bulletin (security patch level 2026-06-05 or later)[1]. The issue can be triggered when a specially crafted RTCP Bye packet is decoded.

Exploitation

To exploit this vulnerability, an attacker must be able to deliver a malicious RTCP packet to the device. User interaction is required for successful exploitation, meaning the victim must take an action such as receiving a call or accepting a media stream that triggers the decoding of the RTCP Bye packet. No additional execution privileges are needed beyond normal user access[1].

Impact

Successful exploitation leads to remote information disclosure. The out-of-bounds read could expose sensitive memory contents from the affected device process, potentially leaking data such as cryptographic keys or other private information. The impact is limited to information disclosure and does not allow code execution or privilege escalation[1].

Mitigation

Google addressed this vulnerability in the June 2026 Pixel Update Bulletin. Devices with a security patch level of 2026-06-05 or later are protected[1]. Users should ensure their Pixel device is updated to the latest security patch level via the system update mechanism. No workaround is available other than applying the update.[1]