How is CVE-2026-0160 exploited?

Network reachability (required): The vulnerable code path is reachable over the network, meaning an attacker must be able to send crafted RTP packets to an exposed service. Authentication (required): A low-privilege account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable code path. Victim interaction (not-required): No user action such as clicking a link or opening a file is needed; the attacker can trigger the flaw without any involvement from a logged-in user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-0160?

Attacker achieves remote code execution in the context of the affected Android kernel component, with the ability to run arbitrary instructions on the host. Confidential data stored on the device or accessible to the kernel, including credentials, session state, and application data, is readable by the attacker. The attacker can modify persisted data, kernel structures, or application state, enabling tampering with device behavior or stored records. The attacker can crash or destabilize the kernel component, causing service disruption or device unavailability.

Back to search

HIGHCVE-2026-0160Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0160: In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode

In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the Android kernel's TextRtpPayloadDecoderNode::DecodeT140 function, which handles T.140 real-time text over RTP. The flaw is reachable over the network by any authenticated (low-privilege) user without requiring victim interaction, making it exploitable by any account holder on an affected device or service. Successful exploitation gives an attacker full remote code execution on the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-0160 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package Android kernel components or derived userspace layers.

Available

Triage

Triage is available using the CVSS v3.1 score of 8.8 (HIGH), weighted against each customer organization's compliance policy, with findings routed to the appropriate team inbox based on policy-defined severity thresholds and ownership rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google ships a fix, with auto-remediation customers receiving a rebuild, regression run, and PR opened against affected workloads at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reachable over the network, meaning an attacker must be able to send crafted RTP packets to an exposed service.
AuthenticationRequired
A low-privilege account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable code path.
Victim interactionNot required
No user action such as clicking a link or opening a file is needed; the attacker can trigger the flaw without any involvement from a logged-in user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Attacker achieves remote code execution in the context of the affected Android kernel component, with the ability to run arbitrary instructions on the host.
Confidential data stored on the device or accessible to the kernel, including credentials, session state, and application data, is readable by the attacker.
The attacker can modify persisted data, kernel structures, or application state, enabling tampering with device behavior or stored records.
The attacker can crash or destabilize the kernel component, causing service disruption or device unavailability.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images on every scan cycle. Because no upstream fix has been published, patched-image rebuilds are not yet available; HarborGuard monitors the Google advisory and upstream Android security bulletins on each ingest cycle and will trigger a rebuild automatically once a fix version is released. In the interim, customers can use HarborGuard's network-policy controls to flag and isolate images that expose RTP-based real-time text services, apply egress filtering rules to limit reachability of affected components, and use feature-flag gating to disable T.140 RTP payload processing where it is not required. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be initiated within minutes of upstream patch publication; for high-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes once a fix is available.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified