CVE-2026-0160

Vulnerability

An out-of-bounds write vulnerability exists in TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp on Pixel devices. The bug is caused by a missing bounds check when processing T.140 real-time text payloads. This affects Pixel devices running security patch levels prior to the 2026-06-05 update (see [1]).

Exploitation

An attacker can trigger this vulnerability remotely without any special privileges or user interaction. The code path is reachable when the device receives a crafted RTP (Real-time Transport Protocol) stream carrying T.140 text data. No authentication or local access is required; a remote network position suffices.

Impact

Successful exploitation results in remote code execution (RCE) at the privilege level of the affected component. The missing bounds check enables out-of-bounds memory corruption, which can be leveraged to execute arbitrary code. The impact is full compromise of the affected Pixel device's confidentiality, integrity, and availability.

Mitigation

Google released a fix in the Pixel Update Bulletin on June 16, 2026, with a security patch level of 2026-06-05 [1]. All supported Pixel devices should be updated to this patch level. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. No known workarounds exist; applying the vendor update is the only mitigation [1].