CVE-2019-2059

Vulnerability

In libxaac, the AAC decoder library on Android 10, an out-of-bounds write occurs due to a missing bounds check. This vulnerability affects Android 10 (API level 29) as released, prior to the 2019-09-01 security patch level. User interaction is required for exploitation, such as opening a malicious media file.

Exploitation

An attacker can exploit this vulnerability by crafting a specially designed AAC audio file that triggers the out-of-bounds write when processed by libxaac. No additional execution privileges are needed beyond normal user access. The attacker must convince the user to open the malicious file through a messaging app, email, or web download.

Impact

Successful exploitation leads to remote code execution within the context of the media server process. This can allow the attacker to execute arbitrary code, potentially gaining full control over the affected device's media capabilities and possibly escalating privileges further.

Mitigation

The vulnerability is fixed in Android 10 with the security patch level of 2019-09-01, as indicated in the Android 10 Security Release Notes [1]. Devices that have applied this patch or later are protected. No workarounds are available; users should ensure their devices receive the latest security updates.