Description
In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In mfc_core_get_dec_metadata_sei_nal of the Media Framework Core, a missing bounds check can cause an out‑of‑bounds write. This flaw can be exploited to execute arbitrary code without needing elevated privileges, impacting confidentiality and integrity at the same privilege level as the media framework.

Affected Systems

Google Android systems that use the Media Framework Core component are affected. The issue appears in the build referenced by the 2026‑06‑01 security bulletin. Devices such as Pixel and other Android devices should verify that they have applied the latest patch for the Media Framework.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of less than 1% suggests that exploitation in the wild is rare at present, and the flaw is not cataloged in the CISA KEV list. Based on the description, the likely attack vector is through malicious media content or a network‑stream processed by the device's media decoder, and no user interaction is required for exploitation.

Generated by OpenCVE AI on June 17, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security patch that fixes the out‑of‑bounds write in mfc_core_get_dec_metadata_sei_nal; the patch is documented in the June 2026 bulletin.
  • If manufacturer updates are not yet available, disable or restrict hardware‑accelerated media decoding (e.g., switch video players to software decoding) to avoid invoking the vulnerable function.
  • Configure the device to receive automatic OS updates and regularly monitor the Google security bulletins for additional patches related to the Media Framework.

Generated by OpenCVE AI on June 17, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-17T03:56:17.842Z

Reserved: 2025-10-23T08:43:53.321Z

Link: CVE-2026-0146

cve-icon Vulnrichment

Updated: 2026-06-16T20:07:23.144Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:25.350

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-787

    Out-of-bounds Write