Impact
The vulnerability is an out-of-bounds read in the RTCP packet decoder. The missing bounds check allows an attacker to read arbitrary memory when a crafted RTCP packet is parsed, which can expose sensitive data without requiring elevated privileges. Because the flaw is triggered by packet parsing, remote information disclosure is the primary impact.
Affected Systems
The affected vendor is Google for its Android operating system. The specific Android versions are not listed in the CVE entry; any devices running a version that includes the vulnerable RTCP decoder are potentially impacted.
Risk and Exploitability
The CVSS score of 5.7 classifies the vulnerability as medium severity. The EPSS score is reported as less than 1%, indicating a very low probability of exploitation, and the issue is not listed in CISA's KEV catalog. Exploitation requires an attacker to send a malicious RTCP packet to a device over the network, and the victim must interact with that packet or otherwise cause the decoder to parse it. With these constraints, the likelihood of a successful attack in the wild is limited.
OpenCVE Enrichment