CVE-2017-0407 Google CVE debrief

Who should care

Android OEMs, device maintainers, enterprise mobility teams, and users running affected Android 6.0/6.0.1/7.0/7.1.0/7.1.1 builds should care, especially where untrusted media files are routinely opened or processed.

Technical summary

The issue affects Android's Mediaserver path in libhevc and is mapped to CWE-119 (memory corruption). NVD lists CVSS v3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8 High), while the Android bulletin characterizes the impact as critical due to possible remote code execution in the Mediaserver process. The vulnerable Android CPEs in the record include 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1.

Defensive priority

High priority for patching on affected devices because the flaw can lead to code execution in a core media-processing process. Remediation should be coordinated through vendor/OEM security updates and validated across the Android versions listed in the record.

Recommended defensive actions

• Confirm whether any fleet devices run Android 6.0, 6.0.1, 7.0, 7.1.0, or 7.1.1.
• Apply the Android security update referenced in the 2017-02-01 bulletin through the device/OEM update channel.
• Prioritize remediation on devices that process untrusted or externally supplied media files.
• Monitor for media-processing crashes or instability that could indicate exposure to vulnerable code paths.
• Use mobile device management controls to accelerate patch compliance and isolate devices that cannot be updated promptly.

Evidence notes

Primary evidence comes from the NVD CVE record and the Android security bulletin linked in the record. The source metadata shows the record was last modified on 2026-05-13, but the CVE publication date remains 2017-02-08. The bulletin and NVD metadata consistently identify Android Mediaserver/libhevc as the affected area, with vulnerable Android versions enumerated in the CPE criteria. NVD also lists third-party references (SecurityFocus and SecurityTracker) alongside the vendor advisory.

Official resources