CVE-2026-0154

Vulnerability

The vulnerability resides in the Modem component of Google Pixel devices. It is triggered by a specifically crafted SIP REFER request, which causes memory corruption and can lead to a modem crash. The issue affects all supported Google devices running a security patch level earlier than 2026-06-05.

Exploitation

An attacker can exploit this vulnerability by sending a malicious SIP REFER request to the target device over the network. No user interaction is required, and the attacker does not need any additional execution privileges beyond the ability to send the crafted request. The memory corruption occurs during processing of the SIP message, potentially leading to code execution.

Impact

Successful exploitation could allow arbitrary code execution within the Modem context. Since the Modem operates with high privileges on the device, this could lead to full compromise of the device, including access to sensitive data, persistent control, or further escalation of privileges.

Mitigation

The fix for CVE-2026-0154 is included in the 2026-06-05 security patch level, as detailed in the Pixel Update Bulletin—June 2026 [1]. All supported Google devices should apply the June 2026 security update to remediate the vulnerability. No workarounds are currently available.