CVE-2026-0161

Vulnerability

In numberOfReportBlocks of RtpSession.cpp, an integer overflow condition allows an out-of-bounds write when processing a crafted RTCP report block count. The vulnerability exists in the RTP/RTCP stack of Android's AOSP code, specifically in the component responsible for handling RTCP sender/receiver reports. Affected versions are those with security patch levels before 2026-06-05 on supported Pixel devices [1].

Exploitation

An attacker can trigger the integer overflow by sending a maliciously crafted RTCP packet with an excessively large report block count field. No authentication or user interaction is required; the vulnerability is reachable remotely over the network via the RTP/RTCP protocol handling path [1].

Impact

Successful exploitation leads to an out-of-bounds write, allowing the attacker to corrupt adjacent memory. This corrupts internal data structures and can result in remote escalation of privilege, potentially granting the attacker elevated execution capabilities within the affected service [1].

Mitigation

Google released the fix with security patch level 2026-06-05 in the June 2026 Pixel Update Bulletin. All supported Pixel devices should update to this patch level or later. No workarounds are documented; updating to the patched version is the recommended mitigation [1].