Impact
A buffer over‑read occurs in the iavb_parse_key_data function of avb_rsa.c due to inadequate input validation, allowing the application to read memory beyond its intended bounds. The vulnerability does not provide an execution path or privilege escalation; however, the leaked data can expose sensitive internal information. This weakness is reflected in the associated CWE‑125 and CWE‑20 designations.
Affected Systems
Commercial Android devices distributed by Google, as outlined in the security bulletin. Specific product versions are not disclosed in the public data, so administrators should review all devices for potential exposure.
Risk and Exploitability
The CVSS score of 3.3 indicates low severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA KEV catalog, further reducing its immediate risk. Exploit requires local access and crafted input data, with no user interaction needed once the malformed key is processed.
OpenCVE Enrichment