Impact
A missing bounds check in the writeAocCommand function of AocAudioCodec.cpp allows an attacker to send a crafted audio command that could overwrite out‑of‑bounds memory, causing a crash and denial of service. This memory safety flaw is identified as CWE‑120 and does not grant the attacker additional privileges. The vulnerability can be triggered remotely without user interaction.
Affected Systems
This vulnerability applies to the Android operating system on Google devices running the AocAudioCodec component. No specific version information is provided, so all affected Android builds that include the unpatched AocAudioCodec implementation are at risk.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. The EPSS score is under 1%, suggesting a low probability of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. Based on the description, the likely attack vector would involve an attacker sending a malicious audio command to the audio service over a susceptible interface, which could be accessed remotely. No additional execution privileges or user interaction are required for exploitation.
OpenCVE Enrichment