CVE-2026-0139

Vulnerability

In the Modem component of affected Pixel devices, there is a possible out-of-bounds write due to a missing bounds check. This vulnerability exists in an unspecified code path within the Modem firmware. The issue affects Pixel devices running Android security patch levels prior to 2026-06-05, as described in the June 2026 Pixel Update Bulletin [1].

Exploitation

An attacker can exploit this vulnerability remotely over the cellular network without any user interaction or additional execution privileges. The exact sequence of steps has not been publicly disclosed, but the out-of-bounds write condition can be triggered by sending a specially crafted message or data to the Modem component [1].

Impact

Successful exploitation leads to remote code execution (RCE) within the context of the Modem. This could allow an attacker to execute arbitrary code on the modem processor, potentially leading to compromise of device communications, data exfiltration, or further escalation within the device [1].

Mitigation

Google has addressed this vulnerability in the Pixel Update Bulletin for June 2026. Devices with a security patch level of 2026-06-05 or later contain the fix. Users should ensure their device updates are applied. No workaround has been provided if a user cannot install the update [1].