High severity7.8NVD Advisory· Published Mar 8, 2017· Updated May 13, 2026

CVE-2017-0466

Description

A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33139050.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in Android's Mediaserver allows remote code execution via a specially crafted media file.

Vulnerability

A remote code execution vulnerability exists in Android's Mediaserver component due to memory corruption during the processing of specially crafted media files. The issue affects Android versions 6.0, 6.0.1, 7.0, and 7.1.1. The vulnerability is triggered when Mediaserver parses a malicious media file, leading to memory corruption that can be exploited for code execution [1].

Exploitation

An attacker can exploit this vulnerability by delivering a specially crafted media file to the target device, for example via a malicious website, email attachment, or MMS. The user must open the file with an application that uses Mediaserver (e.g., the default media player). No authentication or special network position is required; the attack can be performed remotely [1].

Impact

Successful exploitation results in remote code execution within the context of the Mediaserver process. This can allow the attacker to execute arbitrary code with the privileges of Mediaserver, potentially leading to full compromise of the device's media capabilities and access to sensitive data [1].

Mitigation

Google released a fix for this vulnerability in the March 2017 Android Security Bulletin. Users should ensure their devices have received the security patch level of 2017-03-01 or later. No workaround is available; updating to the patched version is the only mitigation [1].

References

Android Security Bulletin—March 2017

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Google/Android6 versions
cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*
- (no CPE)range: Android-6.0
Google/mediaserverllm-fuzzy
Range: 6.0, 6.0.1, 7.0, 7.1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

source.android.com/security/bulletin/2017-03-01.htmlnvdVendor Advisory
www.securityfocus.com/bid/96717nvd
www.securitytracker.com/id/1037968nvd
source.android.com/security/bulletin/2017-03-01nvd

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000