cbcvebase.
CVE-2019-2107
published 2019-07-08

CVE-2019-2107: In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution…

PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.93%
94.6th percentile
In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.

Affected

8 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47157.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47119.zip
filenamehevc-crash-poc.mp4
filenamevideopoc.mp4
processmediaextractor
  • Monitor for SIGSEGV (signal 11) crashes in the mediaextractor process (media.extractor) on Android 7.0–9, particularly with fault addresses consistent with out-of-bounds write, when processing HEVC/H.265 video files.
  • Detect HEVC/H.265 (video/hevc) media files with malformed tile width parameters — look for log entries 'Invalid tile widths' and 'PPS id out of range' from the HEVC decoder, which indicate a crafted file triggering the vulnerable code path in ihevcd_parse_pps.
  • The exploit requires tiles to be enabled in the HEVC PPS (ps_pps->i1_tiles_enabled_flag set). Inspect suspicious HEVC files for tile-enabled PPS structures with tile widths exceeding pic_wd_in_ctb bounds as the trigger condition.
  • The vulnerable codec component is OMX.google.hevc.decoder running under the mediacodec user. Alert on unexpected crashes or tombstones generated by this component when processing externally-supplied .mp4 or HEVC container files.
  • Check Android tombstone/crash logs for crashes in the mediaextractor process on arm64 devices (ABI: arm64) with SEGV_MAPERR, as the PoC confirmed exploitation on Samsung Galaxy S7 Edge (hero2lte) running Android 8.0.
  • ·Non-Google Android builds using FFmpeg (e.g., LineageOS) reject the malicious HEVC file at the FFmpeg layer before reaching the vulnerable libhevc code, so the crash/RCE path is specific to stock Android using OMX.google.hevc.decoder (libhevc).
  • ·Affected Android versions are 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9 only. Devices patched with the 2019-07-01 Android Security Bulletin are not vulnerable.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.