Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Network-delivered RTCP packet needs no attacker privileges; UI:R because victim must join a media session; C:H reflects unbounded memory read potential; no integrity or availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
In RtcpFbPacket::decodeRtcpFbPacket, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
AnalysisAI
Remote information disclosure in Android's RTCP Feedback packet decoder allows a network attacker to read out-of-bounds process memory on a target device by delivering a maliciously crafted RTCP FB packet. The root cause is a CWE-190 integer overflow in RtcpFbPacket::decodeRtcpFbPacket that causes a miscalculated buffer boundary, enabling the out-of-bounds read. Exploitation requires user interaction (the target must participate in an attacker-influenced media session), and no public exploit has been identified at time of analysis; EPSS of 0.16% (6th percentile) confirms low current exploitation probability.
Technical ContextAI
RTCP (Real-Time Control Protocol, RFC 3550) is the companion control protocol to RTP, used in VoIP, video conferencing, and streaming media to convey quality feedback between participants. RTCP Feedback (FB) packets, defined in RFC 4585, carry codec-level feedback such as NACKs and PLI requests. The vulnerable function RtcpFbPacket::decodeRtcpFbPacket is responsible for deserializing these FB packets on Android. CWE-190 (Integer Overflow or Wraparound) occurs when an arithmetic operation on a length or offset field produces a value that wraps around the integer type's maximum, resulting in a smaller-than-intended value. Here, the overflow likely causes a buffer boundary calculation to underestimate available data, allowing a subsequent read to advance past the valid buffer end - a classic CWE-125 out-of-bounds read triggered by CWE-190. The CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* indicates all Android versions fall within the declared scope. The vulnerability was surfaced by Google's internal Pixel security team (reported_by: Google_Devices), consistent with proactive internal fuzzing or code audit rather than external discovery.
RemediationAI
Apply the security patches delivered via the Google Pixel Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01; devices should be updated to the June 2026 security patch level or later. The specific patched version number is not independently confirmed beyond the bulletin reference - verify the exact patch level identifier against the bulletin before attesting compliance. As a compensating control for devices that cannot immediately receive the update, restrict or monitor use of VoIP and video conferencing applications that process RTCP from untrusted peers; disabling or sandboxing such applications reduces the attack surface at the cost of losing real-time media functionality. Upstream fix details are available via NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-0128.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37211
GHSA-6qg7-6c24-p9vf