How is CVE-2026-0161 exploited?

Network reachability (required): The vulnerable RtpSession component is reachable over the network, so an attacker must be able to send crafted RTP traffic to the target device. Authentication (required): A low-privilege account is sufficient; no administrative or elevated credentials are needed beyond basic authenticated access. Victim interaction (not-required): Exploitation is fully remote and silent; no user action such as clicking a link or opening a file is needed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory-layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-0161?

A successful attacker gains escalated privileges on the compromised Android device, moving beyond their initial low-privilege account. With high confidentiality impact, the attacker reads sensitive data stored on the device, including credentials, session tokens, and application data. With high integrity impact, the attacker modifies files, databases, or kernel state on the device. With high availability impact, the attacker crashes the affected service or the kernel, causing a denial of service on the device.

Back to search

HIGHCVE-2026-0161Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0161: In numberOfReportBlocks of RtpSession

In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in the RtpSession.cpp component of the Android kernel enables an out-of-bounds write that a remote attacker can reach over the network. The vulnerability requires only a low-privilege account and no victim interaction, and successful exploitation grants the attacker escalated privileges on the device, along with full read, write, and crash capability over affected resources. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-0161 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from Android kernel base layers. Any image carrying the affected RtpSession component is flagged automatically.

Available

Triage

HarborGuard can score this CVE at 8.8 HIGH using the CVSS v3.1 vector and weight it against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Google publishes a remediated Android kernel version. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable RtpSession component is reachable over the network, so an attacker must be able to send crafted RTP traffic to the target device.
AuthenticationRequired
A low-privilege account is sufficient; no administrative or elevated credentials are needed beyond basic authenticated access.
Victim interactionNot required
Exploitation is fully remote and silent; no user action such as clicking a link or opening a file is needed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory-layout knowledge, or other environmental prerequisites.

Blast Radius

A successful attacker gains escalated privileges on the compromised Android device, moving beyond their initial low-privilege account.
With high confidentiality impact, the attacker reads sensitive data stored on the device, including credentials, session tokens, and application data.
With high integrity impact, the attacker modifies files, databases, or kernel state on the device.
With high availability impact, the attacker crashes the affected service or the kernel, causing a denial of service on the device.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all connected registries and CI pipelines, covering any image built on or derived from an affected Android kernel layer. Because no upstream patch exists as of the CVE publication date, HarborGuard monitors the Google advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published. Until then, customers are advised to apply compensating controls: restrict network access to RTP endpoints using Kubernetes network policies or equivalent firewall rules, apply egress filtering to limit lateral movement if a container is compromised, and consider feature-flag gating on any service that exposes RTP session handling. For customers with auto-remediation enabled, once an upstream fix is available, the typical flow produces a rebuilt image, a regression-test run, and a PR opened against affected workloads, with a median time from CVE fix publication to merged patch PR of around 90 minutes for high-severity issues.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified