CVE-2019-2072

Vulnerability

In libxaac, a library for AAC audio decoding on Android 10, there is a missing bounds check that can lead to an out-of-bounds write [1]. This affects Android 10 devices with a security patch level before 2019-09-01 [1]. The vulnerability is triggered when processing a specially crafted media file, requiring user interaction such as opening the file [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious media file that causes an out-of-bounds write when decoded by libxaac [1]. The attacker does not need any additional execution privileges, but user interaction is required (e.g., the user must open the file) [1]. No authentication is needed to deliver the file, but the user must be tricked into opening it.

Impact

Successful exploitation could lead to remote code execution in the context of the media server process [1]. Depending on the process's privileges, the attacker could gain access to sensitive data, install applications, or perform other actions [1]. The scope is limited by Android's sandboxing, but code execution within the media server can lead to further compromise.

Mitigation

The vulnerability is fixed in Android 10 with a security patch level of 2019-09-01 or later [1]. Devices that have installed the September 2019 security update are protected. No workarounds are available for unpatched devices [1]. Users should ensure their devices are updated.