How is CVE-2026-0164 exploited?

Network reachability (required): The vulnerable Modem component is reachable over the network, meaning an attacker must be able to send traffic to the target device across a network path. Authentication (required): Any low-privilege account is sufficient; no administrative or elevated credentials are needed beyond basic authenticated access. Victim interaction (not-required): No action is required from a user on the targeted device for exploitation to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-0164?

A successful attacker achieves remote code execution within the Modem component of the Android kernel, gaining control of code running in that context. Confidentiality impact is high: the attacker reads memory contents accessible to the Modem component, which may include sensitive modem state, network credentials, or data in transit. Integrity impact is high: the attacker writes arbitrary data to memory, allowing modification of modem behavior, persisted configuration, or data flowing through the component. Availability impact is high: the attacker crashes or destabilizes the Modem component, disrupting all network connectivity on the affected device.

Back to search

HIGHCVE-2026-0164Published 2026-06-16Modified 2026-06-16CNA Google_Devices

CVE-2026-0164: In Modem, there is a possible out of bounds write due to a missing bounds check

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the Android kernel Modem component due to a missing bounds check. The flaw is reachable over the network by any low-privilege authenticated user, with no victim interaction required. Successful exploitation gives an attacker full remote code execution on the affected device. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-0164 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Android kernel images. Coverage applies to both base images pulled from upstream and images built internally by customer teams.

Available

Triage

Triage is available using the CVSS v3.1 score of 8.8 (HIGH), weighted against each customer organization's compliance policy to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

No fix version has been published upstream for CVE-2026-0164. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable Modem component is reachable over the network, meaning an attacker must be able to send traffic to the target device across a network path.
AuthenticationRequired
Any low-privilege account is sufficient; no administrative or elevated credentials are needed beyond basic authenticated access.
Victim interactionNot required
No action is required from a user on the targeted device for exploitation to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker achieves remote code execution within the Modem component of the Android kernel, gaining control of code running in that context.
Confidentiality impact is high: the attacker reads memory contents accessible to the Modem component, which may include sensitive modem state, network credentials, or data in transit.
Integrity impact is high: the attacker writes arbitrary data to memory, allowing modification of modem behavior, persisted configuration, or data flowing through the component.
Availability impact is high: the attacker crashes or destabilizes the Modem component, disrupting all network connectivity on the affected device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-0164 is active across all connected environments, matching against every image that includes the affected Android kernel Modem component. Because no upstream fix exists at this time, HarborGuard monitors the Google advisory on every ingest cycle and will trigger a patched-image rebuild automatically when a fix version is published. In the interim, compensating controls available within HarborGuard include network-policy isolation to restrict inbound traffic paths to affected workloads and flagging affected images for manual review queues. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will activate without manual steps the moment the upstream patch is available, targeting a median turnaround consistent with high-severity advisories in connected environments.

See how HarborGuard automates this

Affected packages

Google / Android
Android kernel

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified