ASB-A-301470262

See a problem?
Import Source
https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json
JSON Data
https://api.test.osv.dev/v1/vulns/ASB-A-301470262
Aliases
  • A-301470262
  • CVE-2025-26455
Published
2025-06-01T00:00:00Z
Modified
2025-08-07T04:57:14.026746Z
Summary
[none]
Details

In multiple functions of NdkMediaCodec.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/av

Package

Name
platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
16-next:0
Fixed
16-next:2025-06-01

Affected versions

Other

16-next

Ecosystem specific 

{
    "types": [
        "EoP"
    ],
    "spl": "2025-06-01",
    "severity": "High",
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "98694987338145071947296608874201862107",
                "length": 715.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458",
            "id": "ASB-A-301470262-2661c3b9"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getInputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "305793044022599432944075141835477326463",
                "length": 811.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458",
            "id": "ASB-A-301470262-4b7c555d"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "line_hashes": [
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "226404815339819498657362227062984340364",
                    "327188650271913730232397723474300298690",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "44838245825590593655464951426693163600",
                    "88608768875686165973028908612579388024",
                    "155203362141733110879560540315643344056",
                    "7124372441177190717609079404781532088",
                    "270757280497983356755606498210015147891",
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "36960143002159883296876170264643606198",
                    "254656710729864865729537234410561843857",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "169953714638657631881455144958345453661",
                    "284481401333772062076841903110157569174",
                    "44113216220255611064517012692770715403",
                    "315864493507467516835953944719729196448"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458",
            "id": "ASB-A-301470262-e02d2d57"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_dequeueOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "131535608617307715521765791811359423310",
                "length": 648.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458",
            "id": "ASB-A-301470262-e443f23f"
        }
    ],
    "fixes": [
        "https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458"
    ]
}

Database specific

source

"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"

Android / platform/frameworks/av

Package

Name
platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15:0
Fixed
15:2025-06-01

Affected versions

Other

15

Ecosystem specific 

{
    "types": [
        "EoP"
    ],
    "spl": "2025-06-01",
    "severity": "High",
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "98694987338145071947296608874201862107",
                "length": 715.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c",
            "id": "ASB-A-301470262-3851dc88"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "line_hashes": [
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "226404815339819498657362227062984340364",
                    "327188650271913730232397723474300298690",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "44838245825590593655464951426693163600",
                    "88608768875686165973028908612579388024",
                    "155203362141733110879560540315643344056",
                    "7124372441177190717609079404781532088",
                    "270757280497983356755606498210015147891",
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "36960143002159883296876170264643606198",
                    "254656710729864865729537234410561843857",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "169953714638657631881455144958345453661",
                    "284481401333772062076841903110157569174",
                    "44113216220255611064517012692770715403",
                    "315864493507467516835953944719729196448"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c",
            "id": "ASB-A-301470262-45208d75"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_dequeueOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "131535608617307715521765791811359423310",
                "length": 648.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c",
            "id": "ASB-A-301470262-a7c284dc"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getInputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "305793044022599432944075141835477326463",
                "length": 811.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c",
            "id": "ASB-A-301470262-ca694dc4"
        }
    ],
    "fixes": [
        "https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c"
    ]
}

Database specific

source

"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"

Android / platform/frameworks/av

Package

Name
platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2025-06-01

Affected versions

Other

13

Ecosystem specific 

{
    "types": [
        "EoP"
    ],
    "spl": "2025-06-01",
    "severity": "High",
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_dequeueOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "131535608617307715521765791811359423310",
                "length": 648.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-845a6f5b"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "line_hashes": [
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "226404815339819498657362227062984340364",
                    "327188650271913730232397723474300298690",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "44838245825590593655464951426693163600",
                    "88608768875686165973028908612579388024",
                    "155203362141733110879560540315643344056",
                    "7124372441177190717609079404781532088",
                    "270757280497983356755606498210015147891",
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "36960143002159883296876170264643606198",
                    "254656710729864865729537234410561843857",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "169953714638657631881455144958345453661",
                    "284481401333772062076841903110157569174",
                    "44113216220255611064517012692770715403",
                    "315864493507467516835953944719729196448"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-a3cb1e90"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getInputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "305793044022599432944075141835477326463",
                "length": 811.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-f5b983f6"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "98694987338145071947296608874201862107",
                "length": 715.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-f6b2a105"
        }
    ],
    "fixes": [
        "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b"
    ]
}

Database specific

source

"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"

Android / platform/frameworks/av

Package

Name
platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2025-06-01

Affected versions

Other

14

Ecosystem specific 

{
    "types": [
        "EoP"
    ],
    "spl": "2025-06-01",
    "severity": "High",
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_dequeueOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "131535608617307715521765791811359423310",
                "length": 648.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-1d4029ca"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "line_hashes": [
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "226404815339819498657362227062984340364",
                    "327188650271913730232397723474300298690",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "44838245825590593655464951426693163600",
                    "88608768875686165973028908612579388024",
                    "155203362141733110879560540315643344056",
                    "7124372441177190717609079404781532088",
                    "270757280497983356755606498210015147891",
                    "71600360415418129174559212431824992477",
                    "76563954033470350988805698783571700052",
                    "36960143002159883296876170264643606198",
                    "254656710729864865729537234410561843857",
                    "94965926434051169257640214182215033121",
                    "337426919657139814683692752285689876091",
                    "169953714638657631881455144958345453661",
                    "284481401333772062076841903110157569174",
                    "44113216220255611064517012692770715403",
                    "315864493507467516835953944719729196448"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-32b6241c"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getOutputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "98694987338145071947296608874201862107",
                "length": 715.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-6306815a"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "function": "AMediaCodec_getInputBuffer",
                "file": "media/ndk/NdkMediaCodec.cpp"
            },
            "digest": {
                "function_hash": "305793044022599432944075141835477326463",
                "length": 811.0
            },
            "signature_type": "Function",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b",
            "id": "ASB-A-301470262-636948db"
        }
    ],
    "fixes": [
        "https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b"
    ]
}

Database specific

source

"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"