CVE-2017-13178

Name of the Vulnerable Software and Affected Versions Android versions 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1

Description The issue is related to a possible out-of-bounds write in the initDecoder function of SoftAVCDec, which could lead to remote code execution as a privileged process. This can occur due to a use after free when buffer allocation fails. User interaction is not needed for exploitation. The vulnerability is associated with a write beyond the buffer boundaries in memory, allowing a remote attacker to execute arbitrary code in the context of a privileged process.

Recommendations For Android versions 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1, consider disabling the initDecoder function in SoftHEVC.cpp as a temporary workaround until a patch is available. Restrict access to the /media/libstagefright/codecs/hevcdec/SoftHEVC.cpp module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.