How is CVE-2026-0131 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerability. Authentication (required): Any low-privilege local account is sufficient; no elevated or administrative credentials are needed beyond that. Victim interaction (required): A user on the device must perform some action (such as opening a malicious file or responding to a crafted request) for exploitation to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-0131?

Reads sensitive files, credentials, and application data accessible to higher-privilege processes on the device. Writes or modifies protected system files and persisted application data. Crashes or disrupts running services on the affected device. Achieves full local privilege escalation, effectively giving the attacker control equivalent to a privileged system process.

Back to search

HIGHCVE-2026-0131Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0131: In RtpPacket::decodePacket, there is a possible out of bounds access due to an integer overflow

In RtpPacket::decodePacket, there is a possible out of bounds access due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in the Android kernel's RtpPacket::decodePacket function allows an attacker with a local shell on the device to perform an out-of-bounds memory access. Exploitation requires a low-privilege account and some form of user interaction, and a successful attack grants full local escalation of privilege, giving the attacker read and write access to sensitive data as well as the ability to disrupt services. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as Google ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-0131 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-derived container and emulator images, in each registry and CI pipeline. Any image carrying an affected Android kernel version surfaces in the scan results automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.3 HIGH using the published CVSS v3.1 vector and weighting that score against each customer environment's compliance policy to prioritize the finding appropriately. Routed alerts are directed to the team inbox or ticket queue configured inside each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment Google publishes a resolved kernel version. In the interim, customers with auto-remediation enabled are notified immediately of advisory status changes so response teams can act without manual feed-monitoring.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerability.
AuthenticationRequired
Any low-privilege local account is sufficient; no elevated or administrative credentials are needed beyond that.
Victim interactionRequired
A user on the device must perform some action (such as opening a malicious file or responding to a crafted request) for exploitation to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Reads sensitive files, credentials, and application data accessible to higher-privilege processes on the device.
Writes or modifies protected system files and persisted application data.
Crashes or disrupts running services on the affected device.
Achieves full local privilege escalation, effectively giving the attacker control equivalent to a privileged system process.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-0131 at this time, HarborGuard monitors the Google advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is published. While awaiting the upstream patch, customers can apply compensating controls: use network-policy rules to isolate affected workloads, restrict which users can execute processes in containers running Android kernel layers, and consider feature-flag gating on any RTP processing paths exposed to untrusted input. HarborGuard surfaces the current unpatched status clearly in the findings dashboard so security teams do not need to poll the upstream advisory manually.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified