CVE-2019-2061

Vulnerability

In libxaac, the AAC audio decoding library on Android 10, an out-of-bounds write occurs due to a missing bounds check. This vulnerability affects Android 10 (Android-10) devices with a security patch level before 2019-09-01 [1]. The issue is present in the library's handling of specially crafted audio data.

Exploitation

Exploitation requires user interaction, such as opening a malicious audio file or receiving it via a messaging or media application. No additional execution privileges are needed beyond the normal user context. An attacker can deliver the crafted file remotely (e.g., via email, web download, or messaging) and trigger the out-of-bounds write when the file is processed by libxaac.

Impact

Successful exploitation leads to remote code execution within the context of the media server or the application processing the audio. This can result in arbitrary code execution, potentially allowing the attacker to gain elevated privileges or access sensitive data, depending on the process's permissions.

Mitigation

The vulnerability is fixed in Android 10 with the security patch level of 2019-09-01 [1]. Users should ensure their devices have received this update. No workarounds are documented; the recommended mitigation is to apply the security patch.