How is CVE-2026-0132 exploited?

Network reachability (required): The vulnerable Modem component is reachable over the network, so an attacker must be able to send traffic to the exposed service to trigger the heap buffer overflow. Authentication (required): A low-privilege account is sufficient; no administrative or elevated credentials are needed beyond basic authenticated access. Victim interaction (not-required): No user action such as clicking a link or opening a file is needed; the attacker can trigger exploitation without any victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-0132?

Attacker executes arbitrary code remotely on the affected Android device at the privilege level of the Modem component. Attacker reads sensitive data stored on the device, including credentials, session tokens, and application data. Attacker modifies or deletes files, configuration, and persisted application state on the device. Attacker crashes or destabilizes the Modem component or broader system, disrupting all connectivity and device availability.

Back to search

HIGHCVE-2026-0132Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0132: In Modem, there is a possible out of bounds write due to a heap buffer overflow

In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap buffer overflow in the Android Modem component allows an attacker to write past the end of an allocated memory region, which can be reached remotely over a network connection with only a low-privilege account. Successful exploitation gives the attacker full remote code execution on the affected device with no additional privileges required, enabling complete compromise of confidentiality, integrity, and availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-0132 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android kernel images in customer registries and CI pipelines.

Available

Triage

Triage is available with the full CVSS v3.1 score of 8.8 (HIGH) applied automatically, weighted against each customer organization's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once the upstream vendor ships a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable Modem component is reachable over the network, so an attacker must be able to send traffic to the exposed service to trigger the heap buffer overflow.
AuthenticationRequired
A low-privilege account is sufficient; no administrative or elevated credentials are needed beyond basic authenticated access.
Victim interactionNot required
No user action such as clicking a link or opening a file is needed; the attacker can trigger exploitation without any victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Attacker executes arbitrary code remotely on the affected Android device at the privilege level of the Modem component.
Attacker reads sensitive data stored on the device, including credentials, session tokens, and application data.
Attacker modifies or deletes files, configuration, and persisted application state on the device.
Attacker crashes or destabilizes the Modem component or broader system, disrupting all connectivity and device availability.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version exists for CVE-2026-0132 at this time, patched-image rebuild is not yet possible, but HarborGuard continuously re-checks the advisory on each ingest cycle and will surface a rebuild the moment Google publishes a patch. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation rules can restrict which workloads are permitted to expose the affected Modem service to untrusted network sources, and egress filtering can limit lateral movement if a container running an affected image is compromised. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically as soon as an upstream fix is available, with median time from CVE patch publication to merged PR for high-severity issues around 90 minutes in those environments.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified