CVE-2017-0855Missing Release of Resource after Effective Lifetime in INC Android

CWE-772Missing Release of Resource after Effective Lifetime4 documents4 sources
Severity
7.5HIGHNVD
EPSS
2.3%
top 15.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google INC AndroidGoogle Android
Timeline
PublishedJan 12
Latest updateMay 13

Description

In MPEG4Extractor.cpp, there are several places where functions return early without cleaning up internal buffers which could lead to memory leaks. This could lead to remote denial of service of a critical system process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-64452857.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDgoogle/android7 versions+6
CVEListV5google_inc/android7 versions+6

Patches

Patch: source.android.comPatch: source.android.com

🔴Vulnerability Details

2
GHSA
GHSA-7pjw-hhxr-hpp2: In MPEG4Extractor2022-05-13
CVEList
CVE-2017-0855: In MPEG4Extractor2018-01-12

📋Vendor Advisories

1
Android
CVE-2017-0855: Android Security Bulletin 2018-01-01 CVE: CVE-2017-0855 Severity: HIGH Type: DoS Affected AOSP versions: 52018-01-01
CVE-2017-0855 — Google INC Android vulnerability | cvebase