CVE-2015-3828

Vulnerability

An integer underflow vulnerability exists in the MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp within Android's libstagefright library. The function does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM). This allows a crafted 3GPP metadata entry to trigger an integer underflow during a subtraction operation, leading to memory corruption. The vulnerability affects Android versions before 5.1.1 LMY48I [1].

Exploitation

An attacker can exploit this vulnerability by delivering a specially crafted media file (e.g., via MMS, web, or other messaging channels) that contains malformed 3GPP metadata. No authentication is required; the attack is remote and user interaction is minimal (the victim simply needs to process the media file using a vulnerable version of Android's media server). The integer underflow arises when the code subtracts a small value from an already small size, resulting in a large positive value that leads to a linear byteswap operation in the subsequent framedata decoding code [1].

Impact

Successful exploitation can result in arbitrary code execution with the privileges of the mediaserver process, or a denial of service (crash) due to memory corruption. The attacker gains the ability to execute arbitrary code or cause system instability, potentially compromising the device's confidentiality, integrity, and availability [1].

Mitigation

Google released a fix in Android 5.1.1 LMY48I, which includes commit f4f7e0c102819f039ebb1972b3dba1d3186bc1d1 that introduces a bound check to prevent the integer underflow. Users should update to this or a later version. No workarounds are available. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].