How is CVE-2026-0139 exploited?

Network reachability (required): The attacker must be able to reach the Modem service over the network; there is no local or physical access requirement. Authentication (required): A low-privilege account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability. Victim interaction (not-required): No action from any user on the target device is required for exploitation. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or specific memory layout prerequisites are involved.

What is the impact of CVE-2026-0139?

A successful attacker achieves remote code execution within the Modem component of the Android kernel. The high Confidentiality impact means the attacker reads arbitrary memory regions, including stored credentials, session material, and user data processed by the modem. The high Integrity impact means the attacker writes arbitrary data into modem memory, modifying firmware state, configuration, or persisted records. The high Availability impact means the attacker can crash or render the modem subsystem inoperable, causing complete loss of cellular connectivity on the affected device.

Back to search

HIGHCVE-2026-0139Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0139: In Modem, there is a possible out of bounds write due to a missing bounds check

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the Android kernel Modem component due to a missing bounds check. The flaw is reachable over the network by any authenticated low-privilege user without requiring any interaction from a victim, derived from the CVSS vector (AV:N/AC:L/PR:L/UI:N). Successful exploitation gives the attacker full remote code execution on the affected device. No fix version has been published yet; HarborGuard tracks the upstream advisory and will surface a patched-image rebuild as soon as one becomes available.

HarborGuard Coverage

Detection

Detection for CVE-2026-0139 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built Android kernel images. Coverage is not limited to official base images; internally built derivatives are scanned as well.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 HIGH and weighting that score against each customer environment's compliance policy to determine priority. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers can apply compensating controls such as network-policy isolation for affected workloads directly from the HarborGuard console.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Modem service over the network; there is no local or physical access requirement.
AuthenticationRequired
A low-privilege account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability.
Victim interactionNot required
No action from any user on the target device is required for exploitation.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or specific memory layout prerequisites are involved.

Blast Radius

A successful attacker achieves remote code execution within the Modem component of the Android kernel.
The high Confidentiality impact means the attacker reads arbitrary memory regions, including stored credentials, session material, and user data processed by the modem.
The high Integrity impact means the attacker writes arbitrary data into modem memory, modifying firmware state, configuration, or persisted records.
The high Availability impact means the attacker can crash or render the modem subsystem inoperable, causing complete loss of cellular connectivity on the affected device.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across connected environments, scoring the issue at CVSS 8.8 HIGH and routing triage alerts to the appropriate team inbox based on each customer's compliance policy and ownership configuration. Because no upstream fix exists, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Google publishes a fix. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While a patch is pending, compensating controls are advisable: applying network-policy rules to restrict inbound access to modem-adjacent services, enabling egress filtering on affected workloads, and auditing any low-privilege accounts that have access to the affected system surface.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified