CVE-2026-0135

Vulnerability

In the Modem component of Google Pixel devices, an out-of-bounds read vulnerability exists due to a missing bounds check. This flaw, identified as CVE-2026-0135, is present in firmware versions prior to the 2026-06-05 security patch level. The affected component is the Modem, as listed in the Pixel Update Bulletin [1].

Exploitation

An attacker can exploit this vulnerability remotely without any user interaction and without requiring additional execution privileges. The exact network vector is not detailed in the available references, but the Modem's exposure to baseband messages makes it likely that the attack is carried out over the air via crafted baseband signaling. No authentication or physical proximity is needed beyond standard network access [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) on the device's Modem processor. Since the Modem runs at a privileged level, this could lead to further compromise of the device. The severity is rated Critical [1].

Mitigation

Google addressed this vulnerability in the June 2026 Pixel Update Bulletin with a security patch level of 2026-06-05 or later. Users should apply the over-the-air (OTA) update to receive the fix. No workarounds have been published; updating to the latest security patch is the recommended mitigation [1].