CVE-2019-2064

Vulnerability

CVE-2019-2064 is an out-of-bounds write vulnerability in the libxaac library, which is part of Android's media framework. The flaw is due to a missing bounds check, allowing a crafted AAC audio file to trigger a write past the allocated buffer. The vulnerable code is reachable when a user processes a malicious audio file. This issue affects Android 10 releases prior to the 2019-09-01 security patch level [1].

Exploitation

Exploitation requires the attacker to convince a victim to open a specially crafted AAC audio file, either through a media player or other application that uses libxaac. No additional execution privileges are needed beyond user interaction. The attacker does not require any special network position beyond delivering the file (e.g., via email, messaging, or web download). The out-of-bounds write can corrupt memory in a way that allows control of program flow.

Impact

Successful exploitation can lead to remote code execution within the context of the media server process. An attacker could execute arbitrary code, potentially gaining access to sensitive data or further compromising the device. The impact is severe as it enables full compromise of the affected Android device's media capabilities [1].

Mitigation

The fix is included in Android 10 with the 2019-09-01 security patch level [1]. Users should update their devices to this patch level or later. No workarounds are available for unpatched devices. There is no indication that this CVE has been listed in CISA's Known Exploited Vulnerabilities catalog.