CVE-2015-3826

Name of the Vulnerable Software and Affected Versions Android versions prior to 5.1.1 LMY48I

Description The issue is related to the MPEG4Extractor::parse3GPPMetaData function in the libstagefright library, which does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM). This allows remote attackers to cause a denial of service, including integer underflow, buffer over-read, and mediaserver process crash, via crafted 3GPP metadata. The vulnerability is also associated with an integer overflow.

Recommendations For Android versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the libstagefright library until a patch is available. Avoid using crafted 3GPP metadata to minimize the risk of exploitation.