#VU40202 Buffer overflow in Google Android - CVE-2016-2508

Cybersecurity Help s.r.o.

Published: 2016-07-11 | Updated: 2020-08-09

Vulnerability identifier: #VU40202

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-2508

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

media/libmediaplayerservice/nuplayer/GenericSource.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 does not validate certain track data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 28799341.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Google Android: 4.0 - 4.4.3, 5.0 - 5.1.0, 6.0 - 6.0.1

External links
https://source.android.com/security/bulletin/2016-07-01.html
https://android.googlesource.com/platform/frameworks/av/+/d112f7d0c1dbaf0368365885becb11ca8d3f13a4
https://android.googlesource.com/platform/frameworks/av/+/f81038006b4c59a5a148dcad887371206033c28f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in Google, Google Android