CVE-2017-0591
Description
A remote code execution vulnerability in libavc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34097672.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption bug in libavc's H.264 decoder allows remote code execution via a crafted media file on Android 6.0 through 7.1.2.
Vulnerability
A remote code execution vulnerability exists in libavc, the software H.264/AVC decoder used by Android's Mediaserver. The bug is in the ih264d_utils.c file and stems from improper error handling when processing dangling fields with gaps in frames enabled; the field picture in cur_slice is incorrectly set to zero, causing subsequent memory operations to corrupt heap memory. Affected Android versions: 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2 [1][2].
Exploitation
An attacker must deliver a specially crafted media file to a vulnerable device, convincing the user to open it (e.g., via MMS, email, or a malicious app). No additional privileges are required. When Mediaserver parses the file, the flawed error-handling path in the decoder triggers a memory corruption that can be leveraged to hijack control flow [1].
Impact
Successful exploitation yields arbitrary code execution within the context of the Mediaserver process, which runs with high privileges. This can lead to full compromise of the media pipeline and potentially enable elevation of privilege or further system access. The vulnerability does not require user interaction beyond opening the crafted file [1].
Mitigation
Google released fixes as part of the May 2017 Android Security Bulletin [1]. The fix is identified in commit 5c3fd5d93a268abb20ff22f26009535b40db3c7d and was cherry-picked from commit 1a13168ca3510ba91274d10fdee46b3642cc9554 [2]. Users should apply the 2017-05-01 security patch level or later. No workaround is available; the vulnerability is not listed on CISA's KEV as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.2:*:*:*:*:*:*:*
- (no CPE)range: 6.0
- Range: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- android.googlesource.com/platform/external/libavc/+/5c3fd5d93a268abb20ff22f26009535b40db3c7dnvdIssue TrackingPatchThird Party Advisory
- source.android.com/security/bulletin/2017-05-01nvdPatchVendor Advisory
- www.securityfocus.com/bid/98124nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.