CVE-2019-2065

Vulnerability

In libxaac, the Android audio decoder library, a missing bounds check allows an out-of-bounds write. The vulnerability affects Android 10 (security patch level 2019-09-01) [1]. User interaction is required, as the attacker must convince the target to process a specially crafted media file.

Exploitation

An attacker can exploit the vulnerability by delivering a malicious AAC audio file to the victim. If the user opens the file or plays it through an affected application (e.g., a media player), libxaac processes the file. The missing bounds check during parsing or decoding causes an out-of-bounds write. The attacker does not need any additional execution privileges beyond what is needed to send the file [1].

Impact

Successful exploitation could lead to remote code execution. The attacker gains arbitrary code execution within the context of the affected media service process. This could allow further compromise of the device, depending on the process's privileges [1].

Mitigation

The vulnerability is fixed by the default security patch level of Android 10 (2019-09-01) [1]. Devices that have installed the Android 10 update or have a patch level of 2019-09-01 or later are protected. No additional workarounds are documented in the available references. There is no indication that this CVE is listed on the KEV catalog.