Vulnerability Details : CVE-2015-3849
The Region_createFromParcel function in core/jni/android/graphics/Region.cpp in Region in Android before 5.1.1 LMY48M does not check the return values of certain read operations, which allows attackers to execute arbitrary code via an application that sends a crafted message to a service, aka internal bug 21585255.
Published
2015-10-01 00:59:26
Updated
2015-10-01 18:07:37
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2015-3849
Probability of exploitation activity in the next 30 days: 0.17%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 52 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-3849
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2015-3849
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3849
-
https://groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ
Vendor Advisory
-
https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885
4cff1f49ff95d990d6c2614da5d5a23d02145885 - platform/frameworks/base - Git at GoogleVendor Advisory
-
https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3
1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3 - platform/frameworks/base - Git at GoogleVendor Advisory
Products affected by CVE-2015-3849
- cpe:2.3:o:google:android:*:*:*:*:*:*:*:*