Skip to main content

Google Android EUVDEUVD-2026-37211

| CVE-2026-0128 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-16 Google_Devices GHSA-6qg7-6c24-p9vf
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered RTCP packet needs no attacker privileges; UI:R because victim must join a media session; C:H reflects unbounded memory read potential; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 22, 2026 - 19:01 vuln.today
CVSS changed
Jun 22, 2026 - 16:52 NVD
6.5 (MEDIUM)
CVE Published
Jun 16, 2026 - 18:51 nvd
MEDIUM 6.5
CVE Published
Jun 16, 2026 - 18:51 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In RtcpFbPacket::decodeRtcpFbPacket, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

AnalysisAI

Remote information disclosure in Android's RTCP Feedback packet decoder allows a network attacker to read out-of-bounds process memory on a target device by delivering a maliciously crafted RTCP FB packet. The root cause is a CWE-190 integer overflow in RtcpFbPacket::decodeRtcpFbPacket that causes a miscalculated buffer boundary, enabling the out-of-bounds read. Exploitation requires user interaction (the target must participate in an attacker-influenced media session), and no public exploit has been identified at time of analysis; EPSS of 0.16% (6th percentile) confirms low current exploitation probability.

Technical ContextAI

RTCP (Real-Time Control Protocol, RFC 3550) is the companion control protocol to RTP, used in VoIP, video conferencing, and streaming media to convey quality feedback between participants. RTCP Feedback (FB) packets, defined in RFC 4585, carry codec-level feedback such as NACKs and PLI requests. The vulnerable function RtcpFbPacket::decodeRtcpFbPacket is responsible for deserializing these FB packets on Android. CWE-190 (Integer Overflow or Wraparound) occurs when an arithmetic operation on a length or offset field produces a value that wraps around the integer type's maximum, resulting in a smaller-than-intended value. Here, the overflow likely causes a buffer boundary calculation to underestimate available data, allowing a subsequent read to advance past the valid buffer end - a classic CWE-125 out-of-bounds read triggered by CWE-190. The CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* indicates all Android versions fall within the declared scope. The vulnerability was surfaced by Google's internal Pixel security team (reported_by: Google_Devices), consistent with proactive internal fuzzing or code audit rather than external discovery.

RemediationAI

Apply the security patches delivered via the Google Pixel Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01; devices should be updated to the June 2026 security patch level or later. The specific patched version number is not independently confirmed beyond the bulletin reference - verify the exact patch level identifier against the bulletin before attesting compliance. As a compensating control for devices that cannot immediately receive the update, restrict or monitor use of VoIP and video conferencing applications that process RTCP from untrusted peers; disabling or sandboxing such applications reduces the attack surface at the cost of losing real-time media functionality. Upstream fix details are available via NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-0128.

Share

EUVD-2026-37211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy