Marco Nelissen

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.127 Linux kernel versions prior to 6.6.74 Linux kernel versions prior to 6.12.11 **Description** The issue is related to the iomap write delalloc scan() function in the Linux kernel, which can lead to an infinite loop due to numerical truncation when writing to an xfs filesystem on 32-bit kernels. This occurs because folio next index() returns an unsigned long, causing iomap write delalloc scan() to inadvertently use a 32-bit position. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Linux kernel versions prior to 6.1.127, update to version 6.1.127 or later to resolve the issue. For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. For Linux kernel versions prior to 6.12.11, update to version 6.12.11 or later to resolve the issue. As a temporary workaround, consider avoiding writing to xfs filesystems on 32-bit kernels until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.15.177 Linux kernel versions prior to 6.1.127 Linux kernel versions prior to 6.6.74 Linux kernel versions prior to 6.12.11 **Description** The issue is related to the `folio seek hole data()` function in the Linux kernel, which inadvertently truncates a 64-bit value to 32 bits on 32-bit kernels. This can lead to a possible infinite loop when writing to an xfs filesystem. The vulnerability may allow an attacker to cause a denial of service. **Recommendations** For Linux kernel versions prior to 5.15.177, update to version 5.15.177 or later. For Linux kernel versions prior to 6.1.127, update to version 6.1.127 or later. For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later. For Linux kernel versions prior to 6.12.11, update to version 6.12.11 or later. As a temporary workaround, consider restricting access to the `folio seek hole data()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** jhead versions 2.87 Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-08-01 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via crafted EXIF data. This is due to a buffer overflow in the exif.c file of the jhead tool, which is used in the libjhead library in Android. **Recommendations** For jhead version 2.87, update to a newer version to mitigate the risk. For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-08-01, update to a version released on or after 2016-08-01.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-06-01 **Description** The issue is related to the libstagefright component in the mediaserver of the Android operating system, which does not validate OMX buffer sizes for the GSM and G711 codecs. This allows attackers to gain privileges via a crafted application, potentially obtaining Signature or SignatureOrSystem access. The exploitation of this issue can enable a remote attacker to elevate their privileges using a specially crafted application. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-06-01, ensure that the June 2016 security patch is applied.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-06-01 **Description** The issue is related to the mediaserver in Android, which does not validate OMX buffer sizes. This allows attackers to gain privileges via a crafted application, potentially obtaining Signature or SignatureOrSystem access. The vulnerability can be exploited by a remote attacker using a specially crafted application to elevate their privileges. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-06-01, ensure that the device is updated to a version released on or after 2016-06-01.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.4 Android versions 5.0.x through 5.0.2 Android versions 5.1.x through 5.1.1 Android versions 6.x before 2016-04-01 **Description** The issue allows attackers to obtain sensitive information from process memory and bypass an unspecified protection mechanism via unspecified vectors. This can be demonstrated by obtaining Signature or SignatureOrSystem access. The vulnerability is related to the media/libmedia/IOMX.cpp component in the mediaserver of the Android operating system, which does not initialize a parameter data structure. **Recommendations** For Android versions 4.x through 4.4.4, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.2, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.1, update to version 5.1.1 or later. For Android versions 6.x before 2016-04-01, update to a version released after 2016-04-01.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-04-01 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a crafted media file. This is due to an out-of-bounds read and memory corruption in the MPEG4Extractor.cpp function of the libstagefright library in the mediaserver component. The exploitation of this issue can lead to the execution of arbitrary code or a denial of service. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-04-01, update to a version released on or after 2016-04-01.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.4 Android versions 5.x through 5.1.1 LMY49H Android versions 6.x before 2016-03-01 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file. This is due to insufficient input validation in the `MPEG4Source::fragmentedRead` function. **Recommendations** For Android versions 4.x through 4.4.4, update to version 4.4.4 or later. For Android versions 5.x through 5.1.1 LMY49H, update to version 5.1.1 LMY49H or later. For Android versions 6.x before 2016-03-01, update to a version released after 2016-03-01.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48M **Description** The issue is related to multiple integer overflows in the `addVorbisCodecInfo` function in `matroska/MatroskaExtractor.cpp` in `libstagefright` in `mediaserver`. This allows remote attackers to cause a denial of service, leading to device inoperability, via crafted Matroska data. **Recommendations** For Android versions prior to 5.1.1 LMY48M, update to version 5.1.1 LMY48M or later to resolve the issue. As a temporary workaround, consider restricting the use of `libstagefright` to minimize the risk of exploitation. Avoid using the `addVorbisCodecInfo` function in `matroska/MatroskaExtractor.cpp` until the issue is resolved.