VYPR
← All advisories
High severity7.8NVD Advisory· Published Sep 8, 2017· Updated May 13, 2026

CVE-2017-0758

CVE-2017-0758

Description

A remote code execution vulnerability in the Android media framework (libhevc). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36492741.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in libhevc within Android's media framework allows remote code execution via a crafted file.

Vulnerability

A remote code execution vulnerability exists in the Android media framework's libhevc component. The bug is a heap buffer overflow that can be triggered when processing a specially crafted media file. Affected versions include Android 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2. The vulnerability is identified as Android ID A-36492741 [1].

Exploitation

No authentication or user interaction beyond normal media playback is required. An attacker can deliver a malicious media file through web browsing, messaging, or any other channel where Android processes media. The vulnerable code path is reached when the libhevc decoder parses the crafted input, leading to a heap buffer overflow [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code within the context of the media server process (mediaserver). This can lead to full compromise of the application's data and capabilities, potentially including access to sensitive information, with the elevated privileges of the media server [1].

Mitigation

Google released a security patch as part of the September 2017 Android Security Bulletin. The fix was included in the 2017-09-05 security patch level for the affected Android versions. Users should apply the update from their device vendor as soon as it becomes available [1].

References
  1. Android Security Bulletin—September 2017

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

13
  • Google/Android13 versions
    cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:7.1.2:*:*:*:*:*:*:*
    • (no CPE)range: 5.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.