CVE-2019-2107
published 2019-07-08CVE-2019-2107: In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution…
PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.93%
94.6th percentile
In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SIGSEGV (signal 11) crashes in the mediaextractor process (media.extractor) on Android 7.0–9, particularly with fault addresses consistent with out-of-bounds write, when processing HEVC/H.265 video files. ↗
- →Detect HEVC/H.265 (video/hevc) media files with malformed tile width parameters — look for log entries 'Invalid tile widths' and 'PPS id out of range' from the HEVC decoder, which indicate a crafted file triggering the vulnerable code path in ihevcd_parse_pps. ↗
- →The exploit requires tiles to be enabled in the HEVC PPS (ps_pps->i1_tiles_enabled_flag set). Inspect suspicious HEVC files for tile-enabled PPS structures with tile widths exceeding pic_wd_in_ctb bounds as the trigger condition. ↗
- →The vulnerable codec component is OMX.google.hevc.decoder running under the mediacodec user. Alert on unexpected crashes or tombstones generated by this component when processing externally-supplied .mp4 or HEVC container files. ↗
- →Check Android tombstone/crash logs for crashes in the mediaextractor process on arm64 devices (ABI: arm64) with SEGV_MAPERR, as the PoC confirmed exploitation on Samsung Galaxy S7 Edge (hero2lte) running Android 8.0. ↗
- ·Non-Google Android builds using FFmpeg (e.g., LineageOS) reject the malicious HEVC file at the FFmpeg layer before reaching the vulnerable libhevc code, so the crash/RCE path is specific to stock Android using OMX.google.hevc.decoder (libhevc). ↗
- ·Affected Android versions are 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9 only. Devices patched with the 2019-07-01 Android Security Bulletin are not vulnerable. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2019-2107: Android Security Bulletin 2019-07-01
CVE: CVE-2019-2107
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 7
vendor_android·2019-07-01·CVSS 8.8
CVE-2019-2107 [HIGH] CVE-2019-2107: Android Security Bulletin 2019-07-01
CVE: CVE-2019-2107
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 7
Android Security Bulletin 2019-07-01
CVE: CVE-2019-2107
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
References: A-130024844
GHSA
GHSA-vg4v-7hfq-54r3: In ihevcd_parse_pps of ihevcd_parse_headers
ghsa_unreviewed·2022-05-24
CVE-2019-2107 [HIGH] CWE-787 GHSA-vg4v-7hfq-54r3: In ihevcd_parse_pps of ihevcd_parse_headers
In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.
No detection rules found.
Exploit-DB
Android 7 < 9 - Remote Code Execution
exploitdb·2019-07-24·CVSS 8.8
CVE-2019-2107 [HIGH] Android 7 < 9 - Remote Code Execution
Android 7 i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2)
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47157.zip
Exploit-DB
Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write
exploitdb·2019-07-15·CVSS 8.8
CVE-2019-2107 [HIGH] Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write
Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write
---
CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve
More infos
LineageOS (Android):
02-11 20:18:48.238 260 260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Inval
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153628/Android-VideoPlayer-ihevcd_parse_pps-Out-Of-Bounds-Write.htmlhttp://seclists.org/fulldisclosure/2019/Jul/18https://source.android.com/security/bulletin/2019-07-01http://packetstormsecurity.com/files/153628/Android-VideoPlayer-ihevcd_parse_pps-Out-Of-Bounds-Write.htmlhttp://seclists.org/fulldisclosure/2019/Jul/18https://source.android.com/security/bulletin/2019-07-01
2019-07-08
Published