How is CVE-2026-0147 exploited?

Network reachability (required): The CVSS vector specifies AV:N, meaning an attacker must be able to reach the vulnerable service over the network to trigger the out-of-bounds write. Authentication (required): The CVSS vector specifies PR:L, meaning any low-privilege account or credential is sufficient; no administrative access is needed. Victim interaction (not-required): The CVSS vector specifies UI:N, meaning the attacker can complete exploitation without any action from a user on the affected device. Attack complexity (info): The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions.

What is the impact of CVE-2026-0147?

Attacker achieves arbitrary code execution in the Android kernel context, gaining full control over the affected device. Attacker reads any data accessible to the kernel, including credentials, session tokens, and application memory. Attacker modifies kernel memory and persisted storage, enabling installation of persistent backdoors or malware. Attacker can crash or destabilize the kernel, causing a denial of service to all processes on the device.

Back to search

HIGHCVE-2026-0147Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0147: In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q

In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds write in the Android kernel's MFC core NAL queue handler allows a network-reachable, low-privileged attacker to execute arbitrary code. The flaw exists in __mfc_core_nal_q_get_dec_metadata_sei_nal in mfc_core_nal_q.c, where a missing bounds check on a write operation can be triggered without any victim interaction. Successful exploitation gives the attacker full code execution in the kernel context, enabling complete device compromise. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android kernel images in customer registries and CI pipelines. Any image carrying an affected kernel version is flagged automatically without requiring manual scan triggers.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) using the published v3.1 vector and can weight that score further against each customer's compliance policy to determine urgency. Findings are routed to the team or inbox configured in each customer organization's notification settings.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available as soon as the upstream patch lands. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The CVSS vector specifies AV:N, meaning an attacker must be able to reach the vulnerable service over the network to trigger the out-of-bounds write.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning any low-privilege account or credential is sufficient; no administrative access is needed.
Victim interactionNot required
The CVSS vector specifies UI:N, meaning the attacker can complete exploitation without any action from a user on the affected device.
Attack complexityDetail
The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions.

Blast Radius

Attacker achieves arbitrary code execution in the Android kernel context, gaining full control over the affected device.
Attacker reads any data accessible to the kernel, including credentials, session tokens, and application memory.
Attacker modifies kernel memory and persisted storage, enabling installation of persistent backdoors or malware.
Attacker can crash or destabilize the kernel, causing a denial of service to all processes on the device.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment Google publishes a fix. In the meantime, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict which services can reach the vulnerable interface, egress filtering to limit lateral movement if a container is compromised, and flagging of affected images as non-compliant to block promotion to production registries. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR against affected workloads will fire automatically when the upstream patch is available, with median time from CVE patch publication to merged PR for HIGH-severity issues around 90 minutes in those environments.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified