CVE-2019-2079

Vulnerability

An out-of-bounds read vulnerability exists in libxaac, the AAC audio decoder library, as shipped in Android 10. The bug is due to a missing bounds check, which allows reading memory beyond the intended buffer. This affects Android 10 devices with a security patch level before 2019-09-01. The issue is identified as Android ID A-115509210 [1].

Exploitation

Successful exploitation requires user interaction, such as opening a specially crafted audio file or receiving malicious media content. The attacker does not need any additional execution privileges beyond what a normal application already has on the device. The precise mechanism is not publicly described, but the code path is reachable when libxaac processes untrusted AAC audio data [1].

Impact

Exploitation results in information disclosure, allowing an attacker to read sensitive data from the process memory. The attacker gains no code execution or privilege escalation directly from this vulnerability. The disclosed information could include application data or other secrets residing in memory [1].

Mitigation

The vulnerability is fixed in Android 10 as part of the 2019-09-01 security patch level. Devices that have applied this or later updates are protected. No workaround is provided for unpatched devices; users should update to the latest Android version. There is no mention of this issue being on the CISA KEV list [1].