CVE-2019-2161

Vulnerability

The vulnerability exists in libxaac, the AAC audio decoder library on Android 10. A missing bounds check allows an out-of-bounds read when processing a specially crafted audio file. This affects Android 10 (security patch level 2019-09-01 or earlier). The issue is identified as Android ID A-112553431.

Exploitation

An attacker must convince a user to open a malicious audio file (e.g., via a messaging app or web download). No additional execution privileges are required beyond normal user access. The user interaction is necessary to trigger the vulnerable code path in libxaac.

Impact

Successful exploitation could lead to information disclosure, potentially exposing sensitive data from the device's memory. The attacker gains no code execution or privilege escalation; the impact is limited to reading out-of-bounds memory.

Mitigation

The fix is included in Android 10 as released on AOSP with a security patch level of 2019-09-01. Users should ensure their device's security patch level is at least 2019-09-01. No workarounds are documented; updating to the latest Android version is recommended. [1]