CVE-2019-2139

Vulnerability

CVE-2019-2139 is an out-of-bounds read vulnerability in the libxaac library, which is used for AAC audio decoding on Android 10. The bug is a missing bounds check that occurs during the processing of a crafted media file. This affects Android 10 (Android ID A-117610049) and is addressed in devices with a security patch level of 2019-09-01 or later [1].

Exploitation

An attacker must convince a user to open a specially crafted media file (e.g., via a messaging app, email, or web download). No additional execution privileges are needed beyond user interaction. The attack vector is remote and does not require the attacker to be on the same network segment.

Impact

Successful exploitation leads to information disclosure (read of out-of-bounds memory). The attacker can potentially leak sensitive data from the Android process heap or other memory regions. The vulnerability does not allow code execution or privilege escalation on its own.

Mitigation

The fix is included in Android 10, which was released on September 3, 2019, with a security patch level of 2019-09-01. Users should ensure their device has received the Android 10 update or a later security patch. No workaround is available for devices that cannot be updated. There is no indication that this CVE is listed on the CISA KEV as of writing [1].