CVE-2026-0157

Vulnerability

An out-of-bounds read vulnerability exists in the RtcpHeader::decodeRtcpHeader function of Pixel devices due to a missing bounds check on an RTCP packet length field. This affects all supported Pixel devices running security patch levels prior to 2026-06-05. The component is part of the Android framework's media or network stack, where RTCP packets are parsed.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted RTCP packet to a vulnerable device over the network. No authentication, additional privileges, or user interaction are required. The lack of bounds checking allows the parser to read memory beyond the allocated buffer when processing the manipulated packet.

Impact

Successful exploitation leads to remote information disclosure, where the OOB read may leak sensitive data from kernel or process memory. While the vulnerability does not provide code execution, the leaked information could be used to further compromise the device or bypass security mitigations.

Mitigation

The vulnerability is fixed in the Pixel security patch level 2026-06-05, included in the June 2026 Pixel Update Bulletin [1]. All supported Pixel devices should be updated to this patch level or later. No workaround is available for unpatched devices.