{"id":"ASB-A-301470262","details":"In multiple functions of NdkMediaCodec.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-301470262","CVE-2025-26455"],"modified":"2026-03-11T06:29:35.246218Z","published":"2025-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/e28ca0c3d70c67cda2a09dc2d663a3395b13c779"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-next:0"},{"fixed":"16-next:2025-06-01"}]}],"versions":["16-next"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458"],"vanir_signatures":[{"digest":{"length":715,"function_hash":"98694987338145071947296608874201862107"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-2661c3b9","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458","deprecated":false,"target":{"function":"AMediaCodec_getOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":811,"function_hash":"305793044022599432944075141835477326463"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-4b7c555d","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458","deprecated":false,"target":{"function":"AMediaCodec_getInputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"line_hashes":["71600360415418129174559212431824992477","76563954033470350988805698783571700052","226404815339819498657362227062984340364","327188650271913730232397723474300298690","94965926434051169257640214182215033121","337426919657139814683692752285689876091","44838245825590593655464951426693163600","88608768875686165973028908612579388024","155203362141733110879560540315643344056","7124372441177190717609079404781532088","270757280497983356755606498210015147891","71600360415418129174559212431824992477","76563954033470350988805698783571700052","36960143002159883296876170264643606198","254656710729864865729537234410561843857","94965926434051169257640214182215033121","337426919657139814683692752285689876091","169953714638657631881455144958345453661","284481401333772062076841903110157569174","44113216220255611064517012692770715403","315864493507467516835953944719729196448"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","id":"ASB-A-301470262-e02d2d57","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458","deprecated":false,"target":{"file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":648,"function_hash":"131535608617307715521765791811359423310"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-e443f23f","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/d69fe7b73a0ed14c2b5bc237f1a42314140c9458","deprecated":false,"target":{"function":"AMediaCodec_dequeueOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}}],"types":["EoP"],"severity":"High","spl":"2025-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-06-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c"],"vanir_signatures":[{"digest":{"length":715,"function_hash":"98694987338145071947296608874201862107"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-3851dc88","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c","deprecated":false,"target":{"function":"AMediaCodec_getOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"line_hashes":["71600360415418129174559212431824992477","76563954033470350988805698783571700052","226404815339819498657362227062984340364","327188650271913730232397723474300298690","94965926434051169257640214182215033121","337426919657139814683692752285689876091","44838245825590593655464951426693163600","88608768875686165973028908612579388024","155203362141733110879560540315643344056","7124372441177190717609079404781532088","270757280497983356755606498210015147891","71600360415418129174559212431824992477","76563954033470350988805698783571700052","36960143002159883296876170264643606198","254656710729864865729537234410561843857","94965926434051169257640214182215033121","337426919657139814683692752285689876091","169953714638657631881455144958345453661","284481401333772062076841903110157569174","44113216220255611064517012692770715403","315864493507467516835953944719729196448"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","id":"ASB-A-301470262-45208d75","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c","deprecated":false,"target":{"file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":648,"function_hash":"131535608617307715521765791811359423310"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-a7c284dc","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c","deprecated":false,"target":{"function":"AMediaCodec_dequeueOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":811,"function_hash":"305793044022599432944075141835477326463"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-ca694dc4","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c","deprecated":false,"target":{"function":"AMediaCodec_getInputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}}],"types":["EoP"],"severity":"High","spl":"2025-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-06-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b"],"vanir_signatures":[{"digest":{"length":648,"function_hash":"131535608617307715521765791811359423310"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-845a6f5b","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"function":"AMediaCodec_dequeueOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"line_hashes":["71600360415418129174559212431824992477","76563954033470350988805698783571700052","226404815339819498657362227062984340364","327188650271913730232397723474300298690","94965926434051169257640214182215033121","337426919657139814683692752285689876091","44838245825590593655464951426693163600","88608768875686165973028908612579388024","155203362141733110879560540315643344056","7124372441177190717609079404781532088","270757280497983356755606498210015147891","71600360415418129174559212431824992477","76563954033470350988805698783571700052","36960143002159883296876170264643606198","254656710729864865729537234410561843857","94965926434051169257640214182215033121","337426919657139814683692752285689876091","169953714638657631881455144958345453661","284481401333772062076841903110157569174","44113216220255611064517012692770715403","315864493507467516835953944719729196448"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","id":"ASB-A-301470262-a3cb1e90","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":811,"function_hash":"305793044022599432944075141835477326463"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-f5b983f6","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"function":"AMediaCodec_getInputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":715,"function_hash":"98694987338145071947296608874201862107"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-f6b2a105","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"function":"AMediaCodec_getOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}}],"types":["EoP"],"severity":"High","spl":"2025-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-06-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b"],"vanir_signatures":[{"digest":{"length":648,"function_hash":"131535608617307715521765791811359423310"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-1d4029ca","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"function":"AMediaCodec_dequeueOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"line_hashes":["71600360415418129174559212431824992477","76563954033470350988805698783571700052","226404815339819498657362227062984340364","327188650271913730232397723474300298690","94965926434051169257640214182215033121","337426919657139814683692752285689876091","44838245825590593655464951426693163600","88608768875686165973028908612579388024","155203362141733110879560540315643344056","7124372441177190717609079404781532088","270757280497983356755606498210015147891","71600360415418129174559212431824992477","76563954033470350988805698783571700052","36960143002159883296876170264643606198","254656710729864865729537234410561843857","94965926434051169257640214182215033121","337426919657139814683692752285689876091","169953714638657631881455144958345453661","284481401333772062076841903110157569174","44113216220255611064517012692770715403","315864493507467516835953944719729196448"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","id":"ASB-A-301470262-32b6241c","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":715,"function_hash":"98694987338145071947296608874201862107"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-6306815a","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"function":"AMediaCodec_getOutputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}},{"digest":{"length":811,"function_hash":"305793044022599432944075141835477326463"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-301470262-636948db","source":"https://googleplex-android.googlesource.com/platform/frameworks/av/+/c9c3b9448503136ba1f562ff24047cdbe14e852b","deprecated":false,"target":{"function":"AMediaCodec_getInputBuffer","file":"media/ndk/NdkMediaCodec.cpp"}}],"types":["EoP"],"severity":"High","spl":"2025-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-301470262.json"}}],"schema_version":"1.7.5"}