Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2019-9371

Published: 27 September 2019

In libvpx, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132783254

Notes

AuthorNote
alexmurray
Updated third_party libwebm is only in >= 1.8.1

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
libvpx
Launchpad, Ubuntu, Debian
bionic
Released (1.7.0-3ubuntu0.18.04.1)
disco
Released (1.7.0-3ubuntu0.19.04.1)
eoan Not vulnerable
(1.8.1-2)
precise Does not exist

trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/webmproject/libvpx/commit/34d54b04e98dd0bac32e9aab0fbda0bf501bc742
upstream: https://github.com/webmproject/libvpx/commit/f00890eecdf8365ea125ac16769a83aa6b68792d

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H