CVE-2026-0147

Vulnerability

In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, a missing bounds check on SEI NAL data leads to an out-of-bounds write. This vulnerability affects the MFC (Multi-Format Codec) kernel driver on supported Pixel devices prior to the 2026-06-05 security patch level [1]. No specific version numbers are disclosed, but devices running earlier patch levels are affected.

Exploitation

An attacker can exploit this without any privileges or user interaction by sending a crafted media stream or packet that triggers processing of a malicious SEI NAL unit. The missing bounds check allows writing beyond allocated buffer boundaries during metadata parsing. The attack is remotely triggerable via any application that delivers video data to the MFC driver, such as a messaging app or browser.

Impact

Successful exploitation results in remote code execution in the kernel context. The attacker gains full control over the device, including the ability to install arbitrary code, access sensitive data, and modify system settings. The high severity and critical impact are consistent with a kernel-level RCE [1].

Mitigation

Google has released a fix as part of the June 2026 Pixel Update Bulletin with security patch level 2026-06-05 or later [1]. Users should apply the update through standard device OTA mechanisms. No workaround is available. Devices must be running a supported Pixel model to receive the patch.