Description
In writeAocCommand of AocAudioCodec.cpp, there is a possible memory safety issue due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing bounds check in the writeAocCommand function of AocAudioCodec.cpp allows an attacker to send a crafted audio command that could overwrite out‑of‑bounds memory, causing a crash and denial of service. This memory safety flaw is identified as CWE‑120 and does not grant the attacker additional privileges. The vulnerability can be triggered remotely without user interaction.

Affected Systems

This vulnerability applies to the Android operating system on Google devices running the AocAudioCodec component. No specific version information is provided, so all affected Android builds that include the unpatched AocAudioCodec implementation are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is under 1%, suggesting a low probability of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. Based on the description, the likely attack vector would involve an attacker sending a malicious audio command to the audio service over a susceptible interface, which could be accessed remotely. No additional execution privileges or user interaction are required for exploitation.

Generated by OpenCVE AI on June 17, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android security patch released in the 2026‑06 bulletin that corrects the bounds check in AocAudioCodec
  • If a patch cannot be applied immediately, restrict or block the AocAudioCodec service from remote connections to prevent the delivery of malicious audio commands
  • Limit the audio service to trusted applications only by configuring the device’s permission settings, reducing the attack surface
  • Monitor device logs for abnormal audio command activity and enforce strict network controls to detect and mitigate potential exploitation

Generated by OpenCVE AI on June 17, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Memory Safety Flaw in Android AocAudioCodec Causing Remote Denial of Service

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In writeAocCommand of AocAudioCodec.cpp, there is a possible memory safety issue due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-16T20:12:58.629Z

Reserved: 2025-10-23T08:43:50.891Z

Link: CVE-2026-0144

cve-icon Vulnrichment

Updated: 2026-06-16T20:12:55.928Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:25.170

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:30:13Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')