CVE-2026-0162

Vulnerability

A type confusion vulnerability exists in the ParsePayloads function of AudioSdpParser.cpp, which handles audio-related SDP payloads. This memory corruption flaw can be triggered by processing specially crafted input, leading to remote code execution. The issue affects supported Google Pixel devices with security patch levels prior to 2026-06-05 [1].

Exploitation

Exploitation is remotely achievable without any authentication or user interaction. An attacker would need to deliver a malicious SDP payload to the target device, likely via Bluetooth or another local communication channel. No special privileges are required to trigger the vulnerability; the type confusion occurs during parsing of the malformed input.

Impact

Successful exploitation results in remote code execution with the privileges of the affected component, which may allow full compromise of the device's confidentiality, integrity, and availability. The vulnerability does not require additional execution privileges, indicating the attacker gains high-level access.

Mitigation

The vulnerability is fixed in the June 2026 Pixel Update Bulletin. Users should update their devices to the 2026-06-05 security patch level or later to remediate the issue. No workarounds are available [1].