CVE-2019-9423
Description
In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. Product: AndroidVersions: Android-10Android ID: A-110986616
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-9423 is an out-of-bounds write in OpenCV's libpng calls on Android 10, enabling local escalation of privilege without user interaction.
The vulnerability resides in OpenCV functions that invoke libpng for image processing. A missing bounds check leads to an out-of-bounds write when handling specially crafted PNG data, potentially corrupting adjacent memory. The issue is identified in Android's OpenCV usage and tracked as Android ID A-110986616 [1][3].
Exploitation requires no user interaction and no additional execution privileges beyond normal app permissions. An attacker already running a malicious application on an affected Android device can trigger the flaw by supplying a malformed PNG image to an OpenCV call. The attack surface is local, meaning the adversary must be on the device itself [1][3].
Successful exploitation could allow the attacker to escalate their privileges within the Android system, potentially gaining root or system-level access. This would enable them to bypass security restrictions, access sensitive data, or further compromise the device [1][3].
The vulnerability is addressed in Android 10, with devices that have a security patch level of 2019-09-01 or later being protected. The fix is included in the Android Open Source Project (AOSP) release, and partners were notified prior to disclosure [1]. No active exploitation was reported at publication [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | <= 4.1.1.26 | — |
opencv-python-headlessPyPI | <= 4.1.1.26 | — |
opencv-contrib-pythonPyPI | <= 4.1.1.26 | — |
opencv-contrib-python-headlessPyPI | <= 4.1.1.26 | — |
Affected products
4- ghsa-coords4 versionspkg:pypi/opencv-contrib-pythonpkg:pypi/opencv-contrib-python-headlesspkg:pypi/opencv-pythonpkg:pypi/opencv-python-headless
<= 4.1.1.26+ 3 more
- (no CPE)range: <= 4.1.1.26
- (no CPE)range: <= 4.1.1.26
- (no CPE)range: <= 4.1.1.26
- (no CPE)range: <= 4.1.1.26
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-8849-5h85-98qwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-9423ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/10/25/17ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2019/10/27/1ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2019/11/07/1ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2020/12/05/1ghsamailing-listx_refsource_MLISTWEB
- source.android.com/security/bulletin/android-10ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.