CVE-2019-2085

Vulnerability

The vulnerability exists in the libxaac library, which is a multimedia codec for AAC audio decoding on Android. An out-of-bounds write can occur because of a missing bounds check. This issue affects Android versions up to and including Android 10, with a security patch level before 2019-09-01 [1]. The vulnerable code path is reachable when processing a specially crafted AAC audio file.

Exploitation

An attacker must persuade a user to open a malicious AAC audio file. No additional execution privileges are needed beyond the user's interaction. The attacker can target applications or system components that process audio through the libxaac library. The exploit sequence involves providing a crafted audio stream that triggers the out-of-bounds write when decoded.

Impact

Successful exploitation leads to remote code execution within the context of the application or process decoding the audio. This could allow the attacker to execute arbitrary code, potentially gaining control over the affected device or achieving privilege escalation. The impact is rated as critical (CVSS v3 base score: 9.8) for remote code execution, though user interaction is required.

Mitigation

The fix is included in Android 10, which has a default security patch level of 2019-09-01 [1]. Devices with a patch level of 2019-09-01 or later are protected. The issue is also addressed in the Android 10 security bulletin published August 20, 2019 [1]. No known workarounds are available for unpatched devices; users should update to the latest security patch.