Impact
A type confusion in the ParsePayloads function of AudioSdpParser.cpp allows an attacker to corrupt memory, a classic CWE‑843 flaw. The resulting memory corruption can be used to execute arbitrary code on the device without requiring elevated privileges. The flaw can be triggered remotely and does not need any user interaction.
Affected Systems
The affected vendor is Google for its Android operating system. The vulnerability lies in the AudioSdpParser component that processes SDP payloads. No specific device or OS version range is listed, so any Android device incorporating the current AudioSdpParser implementation is susceptible.
Risk and Exploitability
The CVSS score of 8.8 classifies this as high severity. The EPSS score of less than 1 % indicates that active exploitation is unlikely at this point, and it is not listed in the CISA KEV catalog. Based on the description that no user interaction is required and the vulnerability resides in an SDP parser, the likely attack vector is remote network access that forces the delivery of malicious SDP payloads—such as through VoIP or media streams. This inference is made because the source code reference involves parsing SDP, but the exact exploit path is not detailed in the advisory.
OpenCVE Enrichment