CVE-2019-15356
Description
A pre-installed app on the Lava Flair Z1 allows any co-located app to modify a system property via an exported interface without authorization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A pre-installed app on the Lava Flair Z1 allows any co-located app to modify a system property via an exported interface without authorization.
Vulnerability
CVE-2019-15356 affects the Lava Flair Z1 Android device (build fingerprint LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys). The device contains a pre-installed app with the package name com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0) that exposes an exported interface. Through this interface, any app installed on the same device can modify a system property without proper authorization, as disclosed by Kryptowire's analysis of Android firmware [1]. The vulnerability is present in the default system image and does not require any special configuration to be reachable.
Exploitation
An attacker needs to have any app co-located on the same device—no special permissions, network position, or user interaction beyond installing a malicious or compromised app. The attack does not require authentication or write access beyond what a normal app possesses. By invoking the exported interface provided by com.mediatek.wfo.impl, the attacker can alter a system property, a step that typically requires system-level privileges. The exploitation does not involve a race window or complex sequence beyond calling the exposed interface.
Impact
Successful exploitation allows an unprivileged app to modify a system property, which can affect the behavior of the Android operating system. Depending on the property changed, this could lead to denial of service, privilege escalation, or other compromises of confidentiality, integrity, or availability. The attacker gains the ability to perform an action normally reserved for system-level apps, potentially toggling settings or affecting system services from a low-privilege context.
Mitigation
As of the publication date (2019-11-14), no official fix or updated firmware version has been disclosed for the Lava Flair Z1. The vulnerability is part of the vendor's stock firmware and affects com.mediatek.wfo.impl version 8.1.0. Users are advised to remove or disable the app if possible, or to restrict app installations from untrusted sources. The device may be considered end-of-life if no update is provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Lava/Flair Z1description
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.kryptowire.com/android-firmware-2019/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.