Skip to main content

Android Pixel CVE-2026-0156

| EUVDEUVD-2026-37190 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-16 Google_Devices GHSA-8jxr-v2g2-q4m3
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Reachable over the network via RTP without auth or user interaction (AV:N/AC:L/PR:N/UI:N); null deref yields crash only, so C:N/I:N/A:H with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 22, 2026 - 15:22 vuln.today
CVSS changed
Jun 22, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
Jun 16, 2026 - 18:51 nvd
HIGH 7.5
CVE Published
Jun 16, 2026 - 18:51 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In checkSsrcCollisionOnRcv of RtpSession.cpp, there is a possible memory safety issue due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Remote denial of service in Android (Pixel) RTP stack arises from a missing null check in checkSsrcCollisionOnRcv within RtpSession.cpp, allowing unauthenticated attackers to crash the affected media component over the network. The flaw carries CVSS 7.5 with availability-only impact, and at the time of analysis there is no public exploit identified and the EPSS exploitation probability is very low (0.14%, 4th percentile).

Technical ContextAI

The vulnerability resides in libstagefright/RTP-related native code (RtpSession.cpp) used by Android's media subsystem for handling Real-time Transport Protocol sessions. The function checkSsrcCollisionOnRcv is invoked when an incoming RTP packet's Synchronization Source identifier (SSRC) is processed to detect collisions between participants in a session; a missing null pointer check leads to a CWE-476 NULL Pointer Dereference when an unexpected internal pointer state is reached on packet receipt. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, and Google's Pixel bulletin treats this as a native-code issue in the RTP/media stack reachable from attacker-controlled network traffic.

RemediationAI

Apply the June 2026 Pixel security patch level or later as published in the Pixel Security Bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01, which is the vendor-released patch addressing this issue. Until the update is installed, compensating controls are limited because RTP handling is part of the platform media stack, but operators can reduce exposure by avoiding answering VoIP/RTP calls from untrusted SIP providers, disabling carrier features that auto-establish RTP sessions where supported, and using carrier-grade SBC filtering to drop malformed RTP - note that these measures will impair legitimate voice/video calling and are not a substitute for patching. Enterprise fleets managed by MDM should enforce the June 2026 security patch level as a compliance baseline.

Share

CVE-2026-0156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy