CVE-2017-0398 Google CVE debrief

Who should care

Android OEMs, enterprise mobility teams, and device owners running affected Android releases should care most, especially where third-party apps are installed or managed at scale.

Technical summary

The CVE record describes a local, user-interaction-dependent disclosure flaw in Audioserver with CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N and CWE-200. The issue can leak sensitive data outside normal permission boundaries. The supplied record lists affected Android releases across 4.4.4 through 7.1, and the NVD CPE entries enumerate 4.4.4, 5.1.1, 6.0, 6.0.1, 7.0, and 7.1.0.

Defensive priority

Medium. The flaw can expose sensitive data, but it requires local access and user interaction, so patching should be prioritized for managed fleets and devices that still run affected Android versions.

Recommended defensive actions

• Apply the Android security update tied to the January 2017 bulletin for affected devices.
• Inventory Android devices and flag those on affected releases listed in the CVE record.
• Reduce exposure to untrusted or unmanaged app installation where policy allows.
• Verify remediation on high-value devices and enterprise-managed endpoints after update.
• Use vendor advisories and NVD detail pages to confirm the exact build or patch level.

Evidence notes

The CVE description states this is an Audioserver information disclosure that can let a local malicious application access data outside its permission level. The NVD vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N with CWE-200. The supplied corpus also shows an Android Security Bulletin dated 2017-01-01 and a CVE publication date of 2017-01-13.

Official resources