CVE-2017-0409 Google CVE debrief

Who should care

Android device owners, fleet administrators, OEMs, and app teams that ingest or render untrusted media or files through Android's media stack.

Technical summary

The vulnerability is described as a remote code execution issue in libstagefright, the Android media framework component. The short description says a specially crafted file may execute arbitrary code in the context of an unprivileged process. NVD's CVSS vector rates it as requiring user interaction, with high confidentiality, integrity, and availability impact. The NVD CPE list marks Android 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1 as vulnerable.

Defensive priority

High. The score is 7.8 and the impact is arbitrary code execution with high confidentiality, integrity, and availability impact, but exploitation is tempered by user interaction and the need for a vulnerable content-processing path.

Recommended defensive actions

• Apply the relevant Android security bulletin fixes for CVE-2017-0409 on all affected Android versions.
• Inventory devices and apps on Android 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1 that consume untrusted media or files.
• Limit handling of untrusted files or media on impacted devices until they are patched.
• Prioritize patching devices or applications that process attacker-supplied content from messages, downloads, or shared storage.
• Verify remediation by confirming Android security bulletin coverage in fleet management records.

Evidence notes

This debrief is grounded in the NVD record for CVE-2017-0409, which states the libstagefright remote code execution description, the CVSS 3.0 vector, and the vulnerable Android CPEs. The Android security bulletin reference dated 2017-02-01 is included in the NVD references. The CVE record was published on 2017-02-08. NVD classifies the weakness as NVD-CWE-noinfo, so the corpus does not specify a finer CWE.

Official resources