How is CVE-2026-0162 exploited?

Network reachability (required): The vulnerable parser is exposed over the network, meaning an attacker must be able to send crafted SDP payloads to the target device across the internet or an accessible network path. Authentication (required): The attacker must hold a low-privilege account; no administrative or elevated credentials are needed beyond that baseline. Victim interaction (not-required): No user action such as clicking a link or opening a file is needed; the attacker can trigger the vulnerability entirely without victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge to succeed.

What is the impact of CVE-2026-0162?

A successful attacker achieves remote code execution on the affected Android kernel, gaining the ability to run arbitrary code in the kernel context. Confidentiality impact is high: the attacker can read any data accessible to the kernel, including credentials, session tokens, and application data stored on the device. Integrity impact is high: the attacker can modify kernel memory, persisted files, and application data without restriction. Availability impact is high: the attacker can crash or hang the kernel, taking the affected device entirely offline.

Back to search

HIGHCVE-2026-0162Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0162: In ParsePayloads of AudioSdpParser

In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a type confusion vulnerability in the Android kernel's audio SDP (Session Description Protocol) parser, specifically in the ParsePayloads function of AudioSdpParser.cpp. The flaw is reachable over the network by any low-privilege authenticated user, with no victim interaction required. Successful exploitation causes memory corruption that gives an attacker full remote code execution on the affected device. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-0162 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android kernel images in customer registries and CI pipelines. Any image containing an affected version of the Android kernel is flagged automatically on each ingest cycle.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH using its CVSS v3.1 vector and weighting that score against each customer environment's compliance policy to set appropriate urgency. Triage findings are routed to the team inbox or ticket queue configured inside each customer org, ensuring the right engineers see the alert without manual sorting.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment Google ships a fix. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to reduce exposure of the affected service.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable parser is exposed over the network, meaning an attacker must be able to send crafted SDP payloads to the target device across the internet or an accessible network path.
AuthenticationRequired
The attacker must hold a low-privilege account; no administrative or elevated credentials are needed beyond that baseline.
Victim interactionNot required
No user action such as clicking a link or opening a file is needed; the attacker can trigger the vulnerability entirely without victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge to succeed.

Blast Radius

A successful attacker achieves remote code execution on the affected Android kernel, gaining the ability to run arbitrary code in the kernel context.
Confidentiality impact is high: the attacker can read any data accessible to the kernel, including credentials, session tokens, and application data stored on the device.
Integrity impact is high: the attacker can modify kernel memory, persisted files, and application data without restriction.
Availability impact is high: the attacker can crash or hang the kernel, taking the affected device entirely offline.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-0162 runs on every ingest cycle across all connected customer environments, flagging images that carry an affected Android kernel build. Because Google has not yet published a patched version, no rebuilt image is available at this time. HarborGuard will monitor the upstream advisory on each ingest cycle and make a patched-image rebuild available automatically the moment a fix is published. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads with no manual steps required. While no upstream fix exists, customers can reduce exposure by applying network-policy isolation to restrict which services can deliver SDP payloads to affected containers, and by enabling egress filtering to limit attacker-controlled traffic paths.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified