VYPR
patchPublished Jun 16, 2026· Updated Jun 17, 2026· 1 source

Android June 2026: Five Baseband and RTP CVEs, Two Critical RCE in Modem

Key findings • Two critical RCE bugs (CVE-2026-0164, CVE-2026-0139) in the Modem baseband, both remotely exploitable without user interaction • Two remote DoS CVEs (CVE-2026-0156, CVE-2026-01…

Key findings

  • Two critical RCE bugs (CVE-2026-0164, CVE-2026-0139) in the Modem baseband, both remotely exploitable without user interaction
  • Two remote DoS CVEs (CVE-2026-0156, CVE-2026-0127) target the RTP session handler and NRMM decoder
  • One local EoP (CVE-2026-0131) from an integer overflow in RtpPacket::decodePacket, requiring user interaction
  • All five CVEs patched in Google's June 2026 Android security update; no active exploitation reported

Google's June 2026 Android security bulletin includes five CVEs affecting the baseband and real-time communication (RTP) stacks, all disclosed together on June 16, 2026. Two of the bugs — CVE-2026-0164 and CVE-2026-0139 — are out-of-bounds write flaws in the Modem component that can lead to remote code execution (RCE) without user interaction. Both are rated critical, as an attacker could exploit them over the air to gain arbitrary code execution on the baseband processor, a prime target for persistent device compromise.

Two additional CVEs target denial of service (DoS) via the RTP and NRMM subsystems. CVE-2026-0156 is a memory safety issue in checkSsrcCollisionOnRcv of RtpSession.cpp caused by a missing null check; it can be triggered remotely to crash the RTP session handler. CVE-2026-0127 is an out-of-bounds read in NrmmMsgCodec::DecodeUPUTransparentContext that corrupts memory and crashes the communication processor, also remotely exploitable without user interaction.

The fifth CVE, CVE-2026-0131, is an integer overflow in RtpPacket::decodePacket that leads to out-of-bounds access. Unlike the others, this one requires user interaction and is rated as a local escalation of privilege (EoP) rather than a remote attack. It affects the same RTP packet decoding path as CVE-2026-0156, suggesting the RTP stack received particular scrutiny this cycle.

Google has released patches for all five CVEs as part of the June 2026 Android security update. Affected devices include all Android versions running the vulnerable modem and RTP firmware; OEMs are expected to push the update in the weeks following the bulletin. No in-the-wild exploitation has been reported for any of the five CVEs at the time of disclosure.

For Android users, the takeaway is clear: the baseband remains a high-value attack surface, and two critical RCE bugs in the same component underscore the importance of applying the June security patch promptly. The RTP-layer DoS and EoP flaws, while less severe, further widen the attack surface for both remote and local adversaries.

Synthesized by Vypr AI