CVE-2026-0130

Vulnerability

In RtcpChunk::decodeRtcpChunk, a heap buffer overflow allows an out-of-bounds read. The bug resides in the RTCP chunk decoding logic and is reachable when a specially crafted RTCP packet is processed. This affects Pixel devices with security patch levels before the June 2026 bulletin, specifically all supported Google devices before the 2026-06-05 patch level [1].

Exploitation

An attacker must deliver a malicious RTCP packet to the target device and the user must interact (e.g., accept or process the packet) to trigger the vulnerable code path. No additional execution privileges are needed; the attacker only requires network position to send the crafted packet and user interaction to invoke the decoding [1].

Impact

Successful exploitation leads to remote information disclosure. The attacker can read out-of-bounds heap memory, potentially leaking sensitive data from the device's memory [1]. The scope is limited to information disclosure; code execution is not implied.

Mitigation

The vulnerability is fixed in the June 2026 Pixel Update Bulletin. Devices that receive the 2026-06-05 or later security patch level are protected. Users should update their Pixel devices to the latest security patch level [1].