CVE-2017-0425 Google CVE debrief

Who should care

Android platform maintainers, OEM patch teams, mobile device administrators, app security reviewers, and defenders responsible for devices running affected Android versions.

Technical summary

NVD classifies the issue as CVSS 3.0 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and CWE-200. The vulnerability affects Audioserver and may allow a local malicious app to read information it should not be able to access. The issue is described as affecting Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, and 7.1.1 in the supplied record.

Defensive priority

Medium. The issue is locally exploitable and requires user interaction, but it can expose sensitive data with high confidentiality impact. Prioritize it on devices that permit untrusted app installation or that handle sensitive media-related data.

Recommended defensive actions

• Apply the Android security bulletin fixes referenced for the 2017-02-01 update cycle.
• Verify fleet coverage for the affected Android versions listed in the record: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, and 7.1.1.
• Treat this as a confidentiality issue and review whether local app execution is possible on managed devices.
• Restrict installation of untrusted applications and enforce mobile application control where practical.
• Monitor vendor advisories and device OEM patch status to confirm the remediation is present on deployed builds.

Evidence notes

This debrief is based only on the supplied NVD record and the linked Android security bulletin. The record states an information disclosure in Audioserver, local malicious-app access beyond permission levels, CWE-200, and CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. Published date context comes from the CVE record (2017-02-08) and the vendor bulletin reference dated 2017-02-01.

Official resources