CVE-2015-3828

Name of the Vulnerable Software and Affected Versions Android versions prior to 5.1.1 LMY48I

Description The issue is related to the MPEG4Extractor::parse3GPPMetaData function in the libstagefright library, which does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM). This allows remote attackers to execute arbitrary code or cause a denial of service via crafted 3GPP metadata, resulting in integer underflow and memory corruption. The vulnerability can be exploited to remotely execute code in affected devices.

Recommendations For versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the libstagefright library until a patch is available. Avoid using the MPEG4Extractor::parse3GPPMetaData function in the affected library to minimize the risk of exploitation.