VYPR
← All advisories
High severity7.8NVD Advisory· Published May 12, 2017· Updated May 13, 2026

CVE-2017-0590

CVE-2017-0590

Description

A remote code execution vulnerability in libhevc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-35039946.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A specially crafted file triggers memory corruption in libhevc, allowing remote code execution in Android Mediaserver on versions 5.0.2 through 7.1.2.

Vulnerability

A remote code execution vulnerability exists in the libhevc library within Android's Mediaserver, specifically in the HEVC (H.265) video decoding component. The flaw is a memory corruption issue that occurs when parsing Sequence Parameter Set (SPS) data; the code fails to properly validate that the number of bytes read does not exceed the NAL unit length, leading to an out-of-bounds read or write. Affected versions include Android 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2 [1]. The vulnerable function resides in decoder/ihevcd_parse_headers.c, and the fix ensures that parsing returns an error if the SPS parsing reads more bytes than the NAL length [2].

Exploitation

An attacker requires no authentication and can deliver the exploit by convincing a user to process a specially crafted media file (e.g., via a malicious app, web page, or MMS). The attacker does not need any special permissions; the file is processed by Mediaserver, which runs in a privileged context. The exploitation sequence involves crafting a HEVC video file with malformed SPS data that triggers the memory corruption when libhevc parses the video headers. No user interaction beyond opening the file is needed, and the attack can be launched remotely if the file is delivered over a network [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution within the context of the Mediaserver process. Mediaserver runs with elevated privileges, so the attacker gains the ability to execute arbitrary code with the same permissions. This can lead to full compromise of the media service, potentially enabling further escalation or access to sensitive data. The impact is rated Critical due to the remote code execution capability [1].

Mitigation

Google released a fix as part of the May 2017 Android Security Bulletin, included in the Android Open Source Project (AOSP) on March 22, 2017 [2]. The fix is implemented in commit 45c97f878bee15cd97262fe7f57ecea71990fed7, which adds a bounds check to SPS parsing. Users should update to the latest security patch level for their device. No workaround is available other than applying the vendor-provided update. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Android Security Bulletin—May 2017
  2. 45c97f878bee15cd97262fe7f57ecea71990fed7 - platform/external/libhevc - Git at Google

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

16
  • Google/Android14 versions
    cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.1.2:*:*:*:*:*:*:*
    • (no CPE)range: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
    • (no CPE)range: 5.0.2
  • Google/libhevcllm-create
    Range: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
  • Google/mediaserverllm-fuzzy
    Range: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.