CVE-2015-3864
published 2015-10-01CVE-2015-3864: Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.13%
99.7th percentile
Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | <= 5.1 | — | |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect delivery of a specially crafted MP4 file served with gzip Content-Encoding targeting Android mediaserver; the exploit server sets Content-Type: video/mp4 and Content-Encoding: gzip for the malicious file. ↗
- →Look for MP4 files containing two tx3g atoms whose combined sizes cause an integer overflow; the second tx3g atom will have a crafted negative/underflowed length field. ↗
- →Monitor the Android mediaserver process for anomalous heap allocations or crashes; the exploit corrupts MetaData read by the browser from mediaserver to leak heap and vtable addresses. ↗
- →Detect browser User-Agent strings matching Android 5.0/5.1 device builds (e.g., LRX21P, LRX22C, LMY47O, LMY48I) being served exploit MP4 content; the Metasploit module maps specific build strings to exploit targets. ↗
- →The exploit uses pssh, avcC, hvcC, and tx3g MP4 atom types for heap grooming and overflow; anomalous combinations of these atoms in a single MP4 trak box are a strong indicator of exploitation. ↗
- →The exploit page uses a JavaScript setTimeout reload loop (4000ms) to repeatedly attempt exploitation; detect HTML pages with this pattern serving MP4 video content. ↗
- →The exploit targets a heap spray address of 0xb3000000 and mmap address of 0x90000000 on ARM; memory forensics or crash dumps showing RIP/PC near these addresses indicate active exploitation. ↗
- ·The Metasploit exploit only yields a shell on devices without SELinux or with SELinux in permissive mode; devices with enforcing SELinux (e.g., Nexus) block execve from the mediaserver process. ↗
- ·The vulnerability exists because of an incomplete fix for CVE-2015-3824; patches for CVE-2015-3824 alone are insufficient to remediate this issue. ↗
- ·The exploit is architecture-specific (ARM LE); x86, x86_64, and MIPS targets are noted as TODO in the Metasploit module. ↗
- ·The Metaphor PoC includes lookup tables only for Nexus 5 Build LRX22C with Android 5.0.1; other targets require separate ROP chain development. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9pwf-jxj3-pf4m: Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2015-3864 [CRITICAL] GHSA-9pwf-jxj3-pf4m: Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor
Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
Project0
Stagefrightened? - Project Zero
project_zero·2015-09-01·CVSS 10.0
CVE-2015-3864 [CRITICAL] Stagefrightened? - Project Zero
Posted by Mark Brand, Bypasser of Mitigations
There’s been a lot of attention recently around a number of vulnerabilities in Android’s libstagefright. There’s been a lot of confusion about the remote exploitability of the issues, especially on modern devices. In this blog post we will demonstrate an exploit for one of the libstagefright vulnerabilities that works on recent Android versions (Android 5.0+ on Nexus 5).
The vulnerability (CVE-2015-3864) that we’ve chosen to exploit is an imperfect patch for one of the issues reported by Joshua Drake, which has been fixed for Nexus devices in the September bulletin. Several parties noticed the problem, including at least Exodus Intel and Natalie Silvanovich of Project Zero. It’s a promising looking bug from an exploitation perspective: a li
Android
CVE-2015-3864: Android Security Bulletin 2015-09-01
CVE: CVE-2015-3864
Severity: CRITICAL
Affected AOSP versions: 5
vendor_android·2015-09-01·CVSS 10.0
CVE-2015-3864 [CRITICAL] CVE-2015-3864: Android Security Bulletin 2015-09-01
CVE: CVE-2015-3864
Severity: CRITICAL
Affected AOSP versions: 5
Android Security Bulletin 2015-09-01
CVE: CVE-2015-3864
Severity: CRITICAL
Affected AOSP versions: 5.1 and below
No detection rules found.
Exploit-DB
Google Android 5.0 < 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)
exploitdb·2016-09-27
CVE-2015-3864 Google Android 5.0 < 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)
Google Android 5.0 "Android Stagefright MP4 tx3g Integer Overflow",
'Description' => %q{
This module exploits a integer overflow vulnerability in the Stagefright
Library (libstagefright.so). The vulnerability occurs when parsing specially
crafted MP4 files. While a wide variety of remote attack vectors exist, this
particular exploit is designed to work within an HTML5 compliant browser.
Exploitation is done by supplying a specially crafted MP4 file with two
tx3g atoms that, when their sizes are summed, cause an integer overflow when
processing the second atom. As a result, a temporary buffer is allocated
with insufficient size and a memcpy call leads to a heap overflow.
This version of the exploit uses a two-stage information leak based on
corrupting the MetaData that the browser reads f
Exploit-DB
Google Android 5.0.1 - Metaphor Stagefright (ASLR Bypass)
exploitdb·2016-03-30
CVE-2015-3864 Google Android 5.0.1 - Metaphor Stagefright (ASLR Bypass)
Google Android 5.0.1 - Metaphor Stagefright (ASLR Bypass)
---
Source: https://github.com/NorthBit/Metaphor
Metaphor - Stagefright with ASLR bypass By Hanan Be'er from NorthBit Ltd.
Link to whitepaper: https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf
Twitter: https://twitter.com/High_Byte
Metaphor's source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator - I'm using XAMPP to serve gzipped MP4 files. The attack page is index.php.
The exploit generator is written in Python and used by the PHP code.
usage: metaphor.py [-h] [-c CONFIG] -o OUTPUT
Exploit-DB
Google Android - libstagefright Integer Overflow Remote Code Execution
exploitdb·2015-09-17
CVE-2015-3864 Google Android - libstagefright Integer Overflow Remote Code Execution
Google Android - libstagefright Integer Overflow Remote Code Execution
---
#!/usr/bin/python2
import cherrypy
import os
import pwnlib.asm as asm
import pwnlib.elf as elf
import sys
import struct
with open('shellcode.bin', 'rb') as tmp:
shellcode = tmp.read()
while len(shellcode) % 4 != 0:
shellcode += '\x00'
# heap grooming configuration
alloc_size = 0x20
groom_count = 0x4
spray_size = 0x100000
spray_count = 0x10
# address of the buffer we allocate for our shellcode
mmap_address = 0x90000000
# addresses that we need to predict
libc_base = 0xb6ebd000
spray_address = 0xb3000000
# ROP gadget addresses
stack_pivot = None
pop_pc = None
pop_r0_r1_r2_r3_pc = None
pop_r4_r5_r6_r7_pc = None
ldr_lr_bx_lr = None
ldr_lr_bx_lr_stack_pad = 0
mmap64 = None
memcpy = None
def find_arm_gadget(e,
Metasploit
Android Stagefright MP4 tx3g Integer Overflow
metasploit
Android Stagefright MP4 tx3g Integer Overflow
Android Stagefright MP4 tx3g Integer Overflow
This module exploits an integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a
arXiv
Virtual Reality, Real Problems: A Longitudinal Security Analysis of VR Firmware
arxiv_fulltext·2025-09-07
Virtual Reality, Real Problems: A Longitudinal Security Analysis of VR Firmware
## Abstract
Virtual Reality (VR) technology is rapidly growing in recent years.
VR devices such as Meta Quest 3 utilize numerous sensors to collect users' data to provide an immersive experience.
Due to the extensive data collection and the immersive nature,
the security of VR devices is paramount.
Leading VR devices often adopt and customize Android systems,
which makes them susceptible to both Android-based vulnerabilities and new issues introduced by VR-specific customizations (e.g., system services to support continuous head and hand tracking).
While prior work has extensively examined the security properties of the Android software stack, how these security properties hold for VR systems remains unexplored.
In this paper, we present the first comprehensive security analysis of VR fi
Bugzilla
Integer overflow in libstagefright might lead to heap overflow
bugzilla·2015-04-26
[MEDIUM] Integer overflow in libstagefright might lead to heap overflow
Integer overflow in libstagefright might lead to heap overflow
Turned out, bug 1154683 was incorrectly fixed.
while it fixes one problem, the vulnerability wasn't patched for all cases.
Discussion:
The issue was limited to 32 bits systems..
---
Created attachment 8597673
Fix potential size overflow
Fix potential out of bound writes
---
Created attachment 8597675
Fix potential size overflow
In theory, size_t may be less than sizeof(uint32_t). So handle that case, and use a fallible array instead of mallocing a big array and simply ignore the metadata alltogether if we couldn't allocate memory. Slightly more elegant solution
---
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/1b04bf621858
---
Comment on attachment 8597675
Fix potential size overflow
[Feature/reg
http://www.securityfocus.com/bid/76682https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968https://blog.zimperium.com/cve-2015-3864-metasploit-module-now-available-for-testing/https://blog.zimperium.com/reflecting-on-stagefright-patches/https://groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJhttps://www.exploit-db.com/exploits/38226/https://www.exploit-db.com/exploits/39640/https://www.exploit-db.com/exploits/40436/http://www.securityfocus.com/bid/76682https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968https://blog.zimperium.com/cve-2015-3864-metasploit-module-now-available-for-testing/https://blog.zimperium.com/reflecting-on-stagefright-patches/https://groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJhttps://www.exploit-db.com/exploits/38226/https://www.exploit-db.com/exploits/39640/https://www.exploit-db.com/exploits/40436/
2015-10-01
Published