Description
In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds write in the Android Modem subsystem caused by a missing bounds check. This flaw permits an attacker to overwrite arbitrary memory, leading to remote code execution without needing additional privileges. It is classified under CWE‑120 and CWE‑787, indicating a classic buffer overflow and buffer overread/overwrite condition. The consequences are total compromise of confidentiality, integrity, and availability of the affected device, since no user interaction is required and the fault can be triggered remotely.

Affected Systems

The affected platform is Android as supplied by Google. No specific product or version information is provided, so all Android devices with the vulnerable Modem implementation are potentially impacted until a formal patch is deployed. The issue manifests in the Modem code path that handles external modem commands.

Risk and Exploitability

The CVSS score of 8.8 flags this flaw as high‑severity. The EPSS score is less than 1 % indicating that, while the theoretical risk is significant, current data suggest a low probability of exploitation in the wild. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via network interfaces that communicate with the modem, as the description states that no user interaction is required for exploitation. Exploitation would require an attacker capable of interacting with the device’s modem control protocol, which is typically exposed over local or cellular channels.

Generated by OpenCVE AI on June 17, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch that addresses the Modem out‑of‑bounds write.
  • Limit or block external access to the modem control interface, for example by configuring firewall rules or disabling the interface via device policy.
  • Reboot the device after applying the patch or interface restrictions to ensure the changes take effect.

Generated by OpenCVE AI on June 17, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Modem Out‑of‑Bounds Write Enabling Remote Code Execution

Tue, 16 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-787
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Google_Devices

Published:

Updated: 2026-06-17T03:56:05.780Z

Reserved: 2025-10-23T08:45:04.193Z

Link: CVE-2026-0164

cve-icon Vulnrichment

Updated: 2026-06-16T19:34:59.839Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:26.790

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-0164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:00:04Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-787

    Out-of-bounds Write