VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2015· Updated May 6, 2026

CVE-2015-6620

CVE-2015-6620

Description

libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bugs 24123723 and 24445127.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A privilege escalation vulnerability in Android's libstagefright allows a crafted app to gain Signature or SignatureOrSystem access.

Vulnerability

A privilege escalation vulnerability exists in libstagefright in Android versions prior to 5.1.1 LMY48Z and 6.0 before the 2015-12-01 security patch level. The bug, referenced as internal issues 24123723 and 24445127, allows a crafted application to gain elevated privileges. The exact code path is not publicly detailed, but the issue lies in the media processing library [1].

Exploitation

An attacker requires the ability to install and run a crafted application on the target device. No additional user interaction beyond installation is necessary. The application can then trigger the vulnerability to escalate its privileges within the Android permission model. No network position or special authentication is required [1].

Impact

Successful exploitation allows the attacker to gain Signature or SignatureOrSystem level access, which effectively grants the same privileges as the system or a signed application. This enables the attacker to perform actions normally reserved for the device's trusted platform components, potentially leading to full device compromise [1].

Mitigation

The issue was addressed in the Android Security Bulletin for December 2015. Devices running Android 5.1.1 with build LMY48Z or later, and Android 6.0 with Security Patch Level of December 1, 2015 or later, include the fix. Source code patches were released to the Android Open Source Project (AOSP). Users should apply the available OTA update or flash updated firmware images. No workaround is available without the patch [1].

References
  1. Nexus Security Bulletin - December 2015

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Google/Android2 versions
    cpe:2.3:o:google:android:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:google:android:*:*:*:*:*:*:*:*range: >=5.0,<5.1.1
    • cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
  • Android/Android Sdkllm-fuzzy
    Range: < 5.1.1 LMY48Z, < 6.0 before 2015-12-01
  • Mozilla Corporation/libstagefrightllm-fuzzy
    Range: < 5.1.1 LMY48Z, < 6.0 before 2015-12-01

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.