How is CVE-2026-0154 exploited?

Network reachability (required): The attacker sends the malformed SIP REFER request over the network to reach the modem component, requiring network-level access to the target. Authentication (required): The CVSS vector specifies PR:L, meaning any low-privilege account is sufficient; no administrator or root-level credentials are needed. Victim interaction (not-required): Exploitation is fully remote and automated; no action from a user on the target device is needed. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, with no race conditions or specific memory-layout dependencies required.

What is the impact of CVE-2026-0154?

An attacker achieves remote code execution inside the modem process, gaining the ability to run arbitrary code at that privilege level. All data passing through or stored by the modem component, including call signaling and session credentials, becomes readable to the attacker. The attacker can modify modem state, intercept or manipulate SIP sessions, and alter data in transit. The modem process crashes or is held under attacker control, disrupting voice, data, and signaling services on the affected device.

Back to search

HIGHCVE-2026-0154Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0154: In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption

In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Memory corruption in the Android modem component can be triggered remotely by sending a malformed SIP REFER request, requiring only a low-privilege account with no user interaction. Successful exploitation gives an attacker remote code execution inside the modem process with no additional privilege escalation needed, enabling full confidentiality, integrity, and availability impact. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-0154 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images derived from the Android kernel base, in CI pipelines and connected registries.

Available

Triage

Triage is available with a CVSS v3.1 score of 8.8 (HIGH), weighted against each customer organization's per-environment compliance policy, and routed to the appropriate team inbox based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix lands. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker sends the malformed SIP REFER request over the network to reach the modem component, requiring network-level access to the target.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning any low-privilege account is sufficient; no administrator or root-level credentials are needed.
Victim interactionNot required
Exploitation is fully remote and automated; no action from a user on the target device is needed.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, with no race conditions or specific memory-layout dependencies required.

Blast Radius

An attacker achieves remote code execution inside the modem process, gaining the ability to run arbitrary code at that privilege level.
All data passing through or stored by the modem component, including call signaling and session credentials, becomes readable to the attacker.
The attacker can modify modem state, intercept or manipulate SIP sessions, and alter data in transit.
The modem process crashes or is held under attacker control, disrupting voice, data, and signaling services on the affected device.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged HIGH with a CVSS score of 8.8 and is actively tracked against all customer images that include the Android kernel modem component. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle. In the interim, customers can apply compensating controls through HarborGuard network-policy recommendations: isolating affected workloads from untrusted SIP traffic using egress and ingress filtering, and gating SIP REFER processing at the network perimeter where possible. The moment an upstream fix is published, a patched-image rebuild will become available automatically. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with median time from CVE fix publication to merged patch PR around 90 minutes for HIGH-severity issues.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified