CVE-2019-2074

Vulnerability

CVE-2019-2074 is an out-of-bounds write vulnerability in the libxaac library on Android 10. It is caused by a missing bounds check, allowing a write beyond the allocated buffer. Affected versions are Android 10 (security patch level before 2019-09-01). This issue is referenced by Android ID A-116617847 [1].

Exploitation

Exploitation requires user interaction, such as opening a specially crafted media file. An attacker does not need any additional execution privileges; the vulnerability can be triggered by delivering the malicious file to a user and convincing them to open it. The missing bounds check in libxaac allows the attacker to control the write operation during AAC audio decoding.

Impact

Successful exploitation could lead to remote code execution in the context of the media service, potentially allowing the attacker to gain arbitrary code execution on the device. The impact includes compromise of confidentiality, integrity, and availability. Google's severity assessment considers this critical [1].

Mitigation

The issue is fixed in Android 10 with the 2019-09-01 security patch level, released as part of Android 10 on AOSP [1]. Users should update their devices to a security patch level of 2019-09-01 or later. No other workarounds are described. There is no evidence of exploitation in the wild [1].