Impact
In the Android RtpPacket::decodePacket method an integer overflow can cause an out‑of‑bounds read, exposing packet data to an attacker. The flaw would allow remote information disclosure without requiring privilege escalation, but the attacker must first deliver a specially crafted RTP packet to the device and the victim must interact with it.
Affected Systems
Google Android devices, including Pixel series, are affected. Specific Android OS versions are not enumerated in the advisory.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate severity, but the EPSS score of less than 1% and the fact that the vulnerability is not listed in CISA KEV suggest a low likelihood of widespread exploitation. The attack requires user interaction and delivery of a malicious RTP packet, limiting its reach to environments with remote media streams.
OpenCVE Enrichment