Security Bulletin: Google Android Stagefright Multimedia Vulnerabilities

Updated 09/29/2021 10:18 AM

Google Android Stagefright Multimedia Vulnerabilities

Go to NVIDIA Product Security.

CVE-2015-1538: Integer overflows during MP4 atom processing

CVE-2015-1539: An integer underflow in ESDS processing

CVE-2015-3824: Integer overflow in libstagefright when parsing the MPEG4 tx3g atom

CVE-2015-3826: Unbounded buffer read in libstagefright while parsing 3GPP metadata

CVE-2015-3827: Integer underflow in libstagefright when processing MPEG4 covr atoms

CVE-2015-3828: Integer underflow in libstagefright if size is below 6 while processing 3GPP metadata

CVE-2015-3829: Integer overflow in libstagefright processing MPEG4 covr atoms

CVE-2015-3864: Integer overflow in libstagefright when processing 'tx3g' MP4 atom

Vulnerability Description:

The Google Android operating system's multimedia engine, known as Stagefright (or libstagefright), is affected by several vulnerabilities that may enable a remote attacker to cause a denial of service or execute arbitrary code with elevated permissions.

Exploit Scope and Risk:

The Google provided binary "libstagefright" typically runs in a process with elevated privileges. When exploited this may allow an attacker to access privileged functions, such as camera, microphone, and speakers.

The CVSS Risk assessment is listed below.

CVSS Base Score - 10

Exploitability sub-score- 10

Access Vector: Network

Access Complexity: Low

Authentication: None

Impact sub-score - 10.0

Confidentiality Impact: Complete

Integrity Impact: Complete

Availability Impact: Complete

CVSS temporal sub-score - 7.8

Exploitability: Proof of concept exists

Remediation Level: Official fix

Report Confidence: Confirmed

CVSS Environmental Score - [determined by user]

NVIDIA's risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. We recommend consulting a local security or IT professional to evaluate the risk of your specific configuration.

Vulnerable Configurations:

This vulnerability affects NVIDIA products running the Android operating system including TegraNote 7, SHIELD Portable, SHIELD Tablet, and SHIELD (2015) .

Vulnerability Discovery:

Discovery is credited to Joshua J. Drake of Zimperium, who reported it to the Android team at Google, who subsequently informed its product partners, including NVIDIA.


NVIDIA recommends that users run the latest software available. Refer to the table below for software versions containing fixes for this issue.


Exposure may be reduced by avoiding untrusted websites, applications, and storage media (such as SD cards, USB storage, or network storage), which may contain malicious media files targeting this vulnerability.

As always, observe safe computing practices by:

  • Keeping your devices updated with the latest patches at all times.

  • Only download or execute content and programs from trusted third parties.

  • Use a lock screen to protect your device from unauthorized use.

  • Beware of rooting, custom recovery software, and other modifications that may compromise the device's security.

Is this answer helpful?

Live Chat

Chat online with one of our support agents



Contact Support for assistance


Ask a Question