PatchSiren cyber security CVE debrief
CVE-2026-0146 Google CVE debrief
CVE-2026-0146 is a vulnerability in the mfc_core_get_dec_metadata_sei_nal function of mfc_core_reg_api.c. The vulnerability is caused by a missing bounds check, which could lead to an out-of-bounds write. This could result in remote code execution with no additional execution privileges needed. User interaction is not required for exploitation.
- Vendor
- Product
- Android
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
This vulnerability may affect users of Android devices, as indicated by the source reference [ref-4].
Technical summary
The vulnerability is located in the mfc_core_get_dec_metadata_sei_nal function of mfc_core_reg_api.c. A missing bounds check could lead to an out-of-bounds write, potentially resulting in remote code execution.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates from the vendor as soon as they become available.
- Monitor for any advisories or updates from the vendor regarding this vulnerability.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. The source reference [ref-4] from Google's Android security bulletin may provide additional context.
Official resources
-
CVE-2026-0146 CVE record
CVE.org
-
CVE-2026-0146 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-0146 was published on 2026-06-16T20:16:25.350Z and modified on 2026-06-16T20:42:25.013Z.