CVE-2026-0148: In multiple functions of VideoRtpPayloadDecoderNode
In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An integer overflow leading to an out-of-bounds write exists in the Android kernel's VideoRtpPayloadDecoderNode component. The flaw is reachable over the network by any authenticated (low-privilege) user without requiring any victim interaction, and successful exploitation gives the attacker full remote code execution on the affected device. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-kernel-derived images, in both registry scans and CI pipeline checks.
AvailableHarborGuard scores this CVE at CVSS 8.8 HIGH and weights it against each customer org's compliance policy to determine breach-of-threshold routing, surfacing it to the appropriate team inbox without manual triage overhead.
AvailableBecause no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google ships a fix. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as the patched base image becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is reachable over the network, so the attacker must be able to send traffic to the exposed service.
- AuthenticationRequired
A low-privilege account is sufficient; no administrative or elevated credentials are needed beyond basic authentication.
- Victim interactionNot required
No action from a user on the target device is required to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors that the attacker must arrange.
Blast Radius
- Attacker achieves remote code execution within the Android kernel context.
- Reads arbitrary memory, including stored credentials, session tokens, and sensitive application data on the device.
- Modifies or corrupts kernel memory, enabling persistent tampering with OS-level state and data.
- Crashes or destabilizes the affected service or entire device, causing a denial of service.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet for CVE-2026-0148, the platform monitors the Google advisory on every ingest cycle and will trigger a patched-image rebuild automatically when a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with median time from fix publication to merged patch PR around 90 minutes for HIGH-severity issues. In the interim, compensating controls are worth considering: network-policy rules that restrict which services can send RTP traffic to affected containers, egress filtering to limit lateral movement if a container is compromised, and feature-flag gating of any workloads that exercise the VideoRtpPayloadDecoderNode code path. HarborGuard will surface the advisory status in each customer's dashboard and update automatically when upstream ships.
- Google / AndroidAndroid kernel
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H