CVE-2019-2071

Vulnerability

A missing bounds check in the libxaac library, used for audio decoding on Android 10, allows an out-of-bounds write. The bug resides in the code handling crafted AAC audio files. Affected versions include Android 10 with security patch levels before 2019-09-01. The vulnerability is identified as Android ID A-117216549 [1].

Exploitation

An attacker must convince a user to process a specially crafted AAC audio file, for example, by playing a malicious media file or receiving it via messaging or web content. No additional execution privileges are needed beyond user interaction, such as opening the file in a media player or application using the libxaac library [1].

Impact

Successful exploitation leads to remote code execution in the context of the affected application or system service. This can result in full compromise of the device's confidentiality, integrity, and availability, as the attacker can execute arbitrary code [1].

Mitigation

The issue was fixed as part of the Android 10 release, with a default security patch level of 2019-09-01. Devices with a security patch level of 2019-09-01 or later are protected. Users should ensure their Android devices are updated to the latest security patch level [1]. No other workaround is available.