Impact
A missing bounds check in the function that decodes RTCP BYE packets in Google Android can allow an attacker to read beyond the intended buffer, potentially exposing sensitive data to an unauthenticated user. This flaw corresponds to a buffer over‑read weakness and does not grant additional privileges or code execution. The impact is limited to information disclosure, but it can still compromise confidentiality of data that the device handles during network communication.
Affected Systems
The vulnerability affects Android operating systems distributed by Google. No specific OS versions are listed, so any device running a version prior to the latest security patch may be susceptible. All Android devices that process RTCP BYE packets, such as phones and tablets, are potentially impacted.
Risk and Exploitability
The CVSS score of 3.5 indicates a low overall severity. The EPSS score is reported as less than 1%, meaning that exploitation is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires a malformed RTCP BYE packet and user interaction to trigger, exploitation would likely involve an attacker sending a crafted packet to a device that is actively processing network media, such as during a video call or streaming session. No publicly available exploitation code is known, and the limited attack surface reduces the risk of widespread exploitation.
OpenCVE Enrichment