CVE-2017-0543
Description
A remote code execution vulnerability in libavc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-34097866.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Android's libavc library allows memory corruption via a specially crafted file, affecting multiple Android versions.
Vulnerability
The vulnerability resides in the libavc library, specifically in the H.264 decoder component of Mediaserver. The function ih264d_parse_slice.c fails to initialize default reference buffers for each picture before decoding the first slice. This lack of initialization can lead to memory corruption when processing a specially crafted media file. Affected versions: Android 6.0, 6.0.1, 7.0, and 7.1.1. [1][2]
Exploitation
An attacker needs to deliver a specially crafted media file (e.g., via a malicious application or web content) that targets the Mediaserver process. No additional privileges are required if the file is processed by Mediaserver. The attacker can trigger the vulnerability by having the user open the crafted file, causing Mediaserver to parse it and trigger the uninitialized reference buffer, leading to memory corruption. [1]
Impact
Successful exploitation allows arbitrary code execution within the context of the Mediaserver process, which runs with high privileges. This could enable an attacker to potentially install programs; view, change, or delete data; or create new accounts with full user rights. The impact is rated as Critical due to remote code execution possibility. [1]
Mitigation
A fix was provided in the Android Security Bulletin for April 2017. The commit with ID f634481e940421020e52f511c1fb34aac1db4b2f initializes default reference buffers for all pictures, preventing the memory corruption. Users should update to the latest security patch level. No workarounds are mentioned. [1][2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*
- (no CPE)range: Android-6.0
- Range: 6.0, 6.0.1, 7.0, 7.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- android.googlesource.com/platform/external/libavc/+/f634481e940421020e52f511c1fb34aac1db4b2fnvdIssue TrackingPatchThird Party Advisory
- www.securityfocus.com/bid/97330nvdThird Party AdvisoryVDB Entry
- source.android.com/security/bulletin/2017-04-01nvdVendor Advisory
- www.securitytracker.com/id/1038201nvd
News mentions
0No linked articles in our index yet.