CVE-2017-0642
Description
A remote denial of service vulnerability in libhevc in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34819017.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap bug in libhevc lets a remote attacker cause denial of service via crafted file.
Vulnerability
A remote denial of service vulnerability exists in the libhevc library within Android's Mediaserver. The bug is a heap buffer overread in the ihevcd_ref_list.c file, where unallocated motion vector (mv) buffers were incorrectly checked when releasing references. This can be triggered by a specially crafted media file. Affected Android versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2 [1] [2].
Exploitation
An attacker needs to be able to deliver a specially crafted file to the target device, for example via a web browser, messaging application, or other media-handling component. No additional authentication or local access is required. The crafted file, when processed by Mediaserver, triggers the heap buffer overread condition in libhevc during slice header parsing [2].
Impact
Successful exploitation can cause the Mediaserver process to read beyond the allocated heap memory, leading to a device hang or reboot (denial of service). The vulnerability does not allow code execution or information disclosure, and the impact is limited to temporary denial of service [1].
Mitigation
Google released a security patch for this issue in the Android Security Bulletin dated June 2017. The fix is implemented in commit 913d9e8d93d6b81bb8eac3fc2c1426651f5b259d to the platform/external/libhevc repository. Users should update their devices to the latest available security patch level. No workarounds are provided. The issue is not listed in CISA's Known Exploited Vulnerabilities Catalog [1] [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.2:*:*:*:*:*:*:*
- (no CPE)range: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
- (no CPE)range: Android-5.0.2 Android-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- source.android.com/security/bulletin/2017-06-01nvdPatchVendor Advisory
- www.securityfocus.com/bid/98868nvdThird Party AdvisoryVDB Entry
- android.googlesource.com/platform/external/libhevc/+/913d9e8d93d6b81bb8eac3fc2c1426651f5b259dnvdMailing ListVendor Advisory
- www.securitytracker.com/id/1038623nvd
News mentions
0No linked articles in our index yet.