CVE-2019-2149
Description
In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113262406
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds read in libxaac on Android 10 could lead to local information disclosure via a crafted file, requiring user interaction.
Vulnerability
In libxaac, there is a possible out of bounds read due to a missing bounds check. This vulnerability affects Android 10 devices with a security patch level before 2019-09-01 [1]. The bug is reachable when a user opens a specially crafted file that triggers the flawed code path.
Exploitation
An attacker does not need any additional execution privileges. Exploitation requires user interaction, such as convincing a user to open a malicious media file. The user must parse the crafted file using a library that invokes the vulnerable libxaac code, leading to an out-of-bounds read.
Impact
Successful exploitation results in information disclosure; the attacker can read sensitive data from memory without gaining code execution or elevated privileges. The scope is limited to the data accessible to the affected process.
Mitigation
The issue is fixed in Android 10 with the security patch level of 2019-09-01 [1]. Users should ensure their device has received the September 2019 security update or later. No workaround is available for unpatched devices.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Android/libxaacdescription
- Range: =10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- source.android.com/security/bulletin/android-10mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.