This flaw lies in the modem component of the Android operating system and originates from an incorrect bounds check that permits an out‑of‑bounds write. The resulting memory corruption can be used by an attacker to execute arbitrary code with the same privileges as the system process that owns the vulnerable component, allowing full compromise of the device. The defect is classified as a classic buffer overflow issue (CWE‑787).

Google Android is the only affected vendor listed. No exact Android release or build numbers are specified in the advisory, so any device running a version that contains the unpatched modem code is potentially affected. Users of Pixel devices are referenced in the official security bulletin, implying the issue may span the Pixel line but is not limited to it.

The vulnerability has a CVSS score of 9.8, indicating a critical severity. The EPSS score is under 1 %, meaning that, although theoretically exploitable from the internet, the likelihood of an active attack is very low at this time. The flaw is not yet part of the CISA Known Exploited Vulnerabilities catalog, so there are no documented exploits in the wild. The attack does not require user interaction and can be triggered remotely, which underscores the need for an immediate patch once one is available. Users should anticipate that vendors typically release an OTA update within the next security bulletin cycle. Until a fix is installed, the risk of compromise persists for all affected devices.