CVE-2026-0006

CRITICAL

Google Android - Heap Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-0006. PoCs published by XiaomingX, adminlove520, XZ1r0.

AI-analyzed exploit summary The repository contains minimal and incomplete content with no functional exploit code. The README states 'şuan yok' (Turkish for 'not available now'), and the Python file appears to be unrelated placeholder text.

Description

In multiple locations, there is a possible out of bounds read and write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (4)

github STUB 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-0006

The repository contains minimal and incomplete content with no functional exploit code. The README states 'şuan yok' (Turkish for 'not available now'), and the Python file appears to be unrelated placeholder text.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Mar 04, 2026 Full analysis →
github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-0006

This repository contains a functional exploit for CVE-2026-0006, a heap buffer overflow in libopenapv (Android APV Codec). The exploit leverages a dimension mismatch between AU_INFO and FRAME PBUs to achieve zero-click remote code execution via a crafted MP4 file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: libopenapv v0.1.11.1 through v0.1.13.0, Android 16 devices with security patch level before March 2026
No auth needed
Prerequisites: Android 16 emulator/device with pre-March 2026 security patch · adb access · Python 3 · Android NDK for cross-compilation
devstral-2 · analyzed May 12, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/mobile/CVE-2026-0006-openapv-poc

This repository contains a functional exploit for CVE-2026-0006, a heap buffer overflow in Android's APV decoder (libopenapv). The exploit generates a malicious MP4 file that triggers an out-of-bounds write by misleading the decoder about frame dimensions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android APV decoder (libopenapv) on pre-March 2026 patch levels
No auth needed
Prerequisites: valid.apv file · ffmpeg to generate baseline MP4 · Android device with vulnerable libopenapv
devstral-2 · analyzed May 21, 2026 Full analysis →
github STUB
by aydin5245 · pythonpoc
https://github.com/aydin5245/cve-2026-0006

The repository contains minimal content with no functional exploit code. The README states 'şuan yok' (Turkish for 'not available now'), and the Python file appears to be unrelated to the CVE, discussing keyword search functionality instead.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed May 01, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0005
EPSS Percentile 15.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-122
Status published
Products (1)
google/android 16.0
Published Mar 02, 2026
Tracked Since Mar 03, 2026