Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9325: Android 10 Security Release Notes  |  Android Open Source Project

In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112001302

CVE
#vulnerability#android#google#dos#rce

Published August 20, 2019 | Updated January 27, 2021

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 10. Android 10 devices with a security patch level of 2019-09-01 or later are protected against these issues (Android 10, as released on AOSP, has a default security patch level of 2019-09-01). To learn how to check a device’s security patch level, see How to check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 10 release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

  • The issues described in this document are addressed as part of Android 10. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google Service Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 10—Vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 10. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Android runtime

CVE

References

Type

Severity

CVE-2019-9290

A-113039724

EoP

Moderate

CVE-2019-9429

A-110035108

EoP

Moderate

Framework

CVE

References

Type

Severity

CVE-2019-9262

A-111792351

RCE

Moderate

CVE-2019-9256

A-111921829

RCE

Moderate

CVE-2019-9280

A-119322269

EoP

Moderate

CVE-2019-2216

A-38390530

EoP

Moderate

CVE-2019-2089

A-116608833

EoP

Moderate

CVE-2019-9288

A-111363077

EoP

Moderate

CVE-2019-9384

A-120568007

EoP

Moderate

CVE-2019-9269

A-36899497

EoP

Moderate

CVE-2019-9378

A-124539196

EoP

Moderate

CVE-2019-9380

A-123700098

EoP

Moderate

CVE-2019-9407

A-112434609

EoP

Moderate

CVE-2019-2088

A-143895055

ID

Moderate

CVE-2019-2058

A-136089102

ID

Moderate

CVE-2019-9351

A-128599864

ID

Moderate

CVE-2019-9281

A-32748076

ID

Moderate

CVE-2019-9377

A-128599663

ID

Moderate

CVE-2019-9292

A-115384617

ID

Moderate

CVE-2019-9424

A-110941092

ID

Moderate

CVE-2019-9399

A-115635664

ID

Moderate

CVE-2019-9421

A-111215250

ID

Moderate

CVE-2019-9323

A-30770233

ID

Moderate

CVE-2019-9438

A-77821568

ID

Moderate

CVE-2019-9373

A-130173029

DoS

Moderate

CVE-2019-9372

A-132782448

DoS

Moderate

Library

CVE

References

Type

Severity

CVE-2019-9423

A-110986616

EoP

Moderate

CVE-2019-9459

A-79593569

EoP

Moderate

Media framework

CVE

References

Type

Severity

CVE-2019-9297

A-112890242

RCE

Moderate

CVE-2019-9298

A-112892194

RCE

Moderate

CVE-2019-9299

A-112663886

RCE

Moderate

CVE-2019-9300

A-112661610

RCE

Moderate

CVE-2019-9301

A-112663384

RCE

Moderate

CVE-2019-9302

A-112661356

RCE

Moderate

CVE-2019-9303

A-112661057

RCE

Moderate

CVE-2019-9304

A-112662270

RCE

Moderate

CVE-2019-9305

A-112661835

RCE

Moderate

CVE-2019-9306

A-112661348

RCE

Moderate

CVE-2019-9307

A-112661893

RCE

Moderate

CVE-2019-9308

A-112661742

RCE

Moderate

CVE-2019-9346

A-128433933

RCE

Moderate

CVE-2019-9357

A-112662995

RCE

Moderate

CVE-2019-9382

A-120874654

RCE

Moderate

CVE-2019-9405

A-112890225

RCE

Moderate

CVE-2019-9278

A-112537774

RCE

Moderate

CVE-2020-0086

A-131859347

EoP

Moderate

CVE-2019-9310

A-112891546

EoP

Moderate

CVE-2019-9232

A-122675483

ID

Moderate

CVE-2019-9247

A-120426166

ID

Moderate

CVE-2019-9282

A-113211371

ID

Moderate

CVE-2019-9293

A-117661116

ID

Moderate

CVE-2019-9294

A-111764444

ID

Moderate

CVE-2019-9313

A-112005441

ID

Moderate

CVE-2019-9314

A-112329563

ID

Moderate

CVE-2019-9315

A-112326216

ID

Moderate

CVE-2019-9316

A-112052432

ID

Moderate

CVE-2019-9317

A-112052258

ID

Moderate

CVE-2019-9318

A-111764725

ID

Moderate

CVE-2019-9319

A-111762100

ID

Moderate

CVE-2019-9320

A-111761624

ID

Moderate

CVE-2019-9321

A-111208713

ID

Moderate

CVE-2019-9322

A-111128067

ID

Moderate

CVE-2019-9325

A-112001302

ID

Moderate

CVE-2019-9334

A-112859934

ID

Moderate

CVE-2019-9335

A-112328051

ID

Moderate

CVE-2019-9336

A-112326322

ID

Moderate

CVE-2019-9337

A-112204376

ID

Moderate

CVE-2019-9338

A-111762686

ID

Moderate

CVE-2019-9347

A-109891727

ID

Moderate

CVE-2019-9359

A-111407302

ID

Moderate

CVE-2019-9361

A-111762807

ID

Moderate

CVE-2019-9362

A-120426980

ID

Moderate

CVE-2019-9364

A-73364631

ID

Moderate

CVE-2019-9366

A-112052062

ID

Moderate

CVE-2019-9370

A-133880046

ID

Moderate

CVE-2019-9406

A-112552517

ID

Moderate

CVE-2019-9408

A-112380157

ID

Moderate

CVE-2019-9409

A-112272091

ID

Moderate

CVE-2019-9410

A-112204443

ID

Moderate

CVE-2019-9411

A-112204845

ID

Moderate

CVE-2019-9412

A-112006096

ID

Moderate

CVE-2019-9415

A-111805098

ID

Moderate

CVE-2019-9416

A-111804142

ID

Moderate

CVE-2019-9433

A-80479354

ID

Moderate

CVE-2019-9252

A-73339042

ID

Moderate

CVE-2019-9268

A-77474014

DoS

Moderate

CVE-2020-0088

A-124389881

DoS

Moderate

CVE-2019-9283

A-112663564

DoS

Moderate

CVE-2019-9348

A-128431761

DoS

Moderate

CVE-2019-9349

A-124330204

DoS

Moderate

CVE-2019-9352

A-124253062

DoS

Moderate

CVE-2019-9371

A-132783254

DoS

Moderate

CVE-2019-9379

A-124329638

DoS

Moderate

CVE-2019-9418

A-111450210

DoS

Moderate

CVE-2019-9420

A-111272481

DoS

Moderate

System

CVE

References

Type

Severity

CVE-2019-9475

A-9496886

ID

High

CVE-2019-9363

A-123584306

RCE

Moderate

CVE-2019-9365

A-109838537

RCE

Moderate

CVE-2018-9425

A-73884967

EoP

Moderate

CVE-2019-9463

A-113584607

EoP

Moderate

CVE-2019-9291

A-112159179

EoP

Moderate

CVE-2019-9386

A-122361874

EoP

Moderate

CVE-2019-9375

A-129344244

EoP

Moderate

CVE-2019-9238

A-121267042

EoP

Moderate

CVE-2019-9257

A-113572342

EoP

Moderate

CVE-2019-9258

A-113655028

EoP

Moderate

CVE-2019-9259

A-113575306

EoP

Moderate

CVE-2019-9263

A-73136824

EoP

Moderate

CVE-2019-9266

A-119501435

EoP

Moderate

CVE-2019-9295

A-36885811

EoP

Moderate

CVE-2019-9309

A-117985575

EoP

Moderate

CVE-2019-9350

A-129562815

EoP

Moderate

CVE-2019-9358

A-120156401

EoP

Moderate

CVE-2018-9489

A-77286245

ID

Moderate

CVE-2019-9473

A-115363533

ID

Moderate

CVE-2019-9474

A-79996267

ID

Moderate

CVE-2019-9440

A-37637796

ID

Moderate

CVE-2019-9277

A-68016944

ID

Moderate

CVE-2019-9233

A-122529021

ID

Moderate

CVE-2019-9234

A-122465453

ID

Moderate

CVE-2019-9235

A-122323053

ID

Moderate

CVE-2019-9236

A-122322613

ID

Moderate

CVE-2019-9237

A-121325979

ID

Moderate

CVE-2019-9239

A-121263487

ID

Moderate

CVE-2019-9240

A-121150966

ID

Moderate

CVE-2019-9241

A-121036603

ID

Moderate

CVE-2019-9242

A-121035878

ID

Moderate

CVE-2019-9243

A-120905706

ID

Moderate

CVE-2019-9244

A-120865977

ID

Moderate

CVE-2019-9246

A-120428637

ID

Moderate

CVE-2019-9249

A-120255805

ID

Moderate

CVE-2019-9250

A-120276962

ID

Moderate

CVE-2019-9251

A-120274615

ID

Moderate

CVE-2019-9253

A-109769728

ID

Moderate

CVE-2019-9260

A-113495295

ID

Moderate

CVE-2019-9265

A-37994606

ID

Moderate

CVE-2019-9272

A-11596047

ID

Moderate

CVE-2019-9284

A-111850706

ID

Moderate

CVE-2019-9287

A-78287084

ID

Moderate

CVE-2019-9289

A-79883824

ID

Moderate

CVE-2018-9581

A-111698366

ID

Moderate

CVE-2019-9296

A-112162089

ID

Moderate

CVE-2019-9312

A-78288018

ID

Moderate

CVE-2019-9326

A-111215173

ID

Moderate

CVE-2019-9328

A-111895000

ID

Moderate

CVE-2019-9329

A-112917952

ID

Moderate

CVE-2019-9332

A-78286500

ID

Moderate

CVE-2019-9333

A-109753657

ID

Moderate

CVE-2019-9344

A-120845341

ID

Moderate

CVE-2019-9353

A-123024201

ID

Moderate

CVE-2019-9354

A-118148142

ID

Moderate

CVE-2019-9355

A-115903122

ID

Moderate

CVE-2019-9356

A-111699773

ID

Moderate

CVE-2019-9360

A-120610663

ID

Moderate

CVE-2019-9368

A-79883568

ID

Moderate

CVE-2019-9369

A-79995407

ID

Moderate

CVE-2019-9381

A-122677612

ID

Moderate

CVE-2019-9383

A-120843827

ID

Moderate

CVE-2019-9387

A-117569833

ID

Moderate

CVE-2019-9388

A-117567437

ID

Moderate

CVE-2019-9403

A-113512324

ID

Moderate

CVE-2019-9414

A-111893041

ID

Moderate

CVE-2019-9427

A-110166350

ID

Moderate

CVE-2019-9431

A-109755179

ID

Moderate

CVE-2019-9432

A-80546108

ID

Moderate

CVE-2019-9434

A-80432895

ID

Moderate

CVE-2019-9435

A-80146682

ID

Moderate

CVE-2019-9330

A-111214739

ID

Moderate

CVE-2019-9331

A-112272279

ID

Moderate

CVE-2019-9341

A-111214770

ID

Moderate

CVE-2019-9342

A-111214470

ID

Moderate

CVE-2019-9343

A-112050983

ID

Moderate

CVE-2019-9367

A-112106425

ID

Moderate

CVE-2019-9413

A-111935831

ID

Moderate

CVE-2019-9417

A-111450079

ID

Moderate

CVE-2019-9419

A-111407544

ID

Moderate

CVE-2019-9422

A-111214766

ID

Moderate

CVE-2020-0236

A-79703353

ID

Moderate

CVE-2019-9279

A-110476382

DoS

Moderate

CVE-2019-9285

A-111215315

DoS

Moderate

CVE-2019-9286

A-111213909

DoS

Moderate

CVE-2019-9311

A-79431031

DoS

Moderate

CVE-2019-9327

A-112050583

DoS

Moderate

CVE-2019-9462

A-91544774

DoS

Moderate

CVE-2019-9389

A-117567058

DoS

Moderate

CVE-2019-9390

A-117551475

DoS

Moderate

CVE-2019-9393

A-116357965

DoS

Moderate

CVE-2019-9394

A-116351796

DoS

Moderate

CVE-2019-9395

A-116267405

DoS

Moderate

CVE-2019-9396

A-115747155

DoS

Moderate

CVE-2019-9397

A-115747410

DoS

Moderate

CVE-2019-9398

A-115745406

DoS

Moderate

CVE-2019-9400

A-115509589

DoS

Moderate

CVE-2019-9401

A-115375248

DoS

Moderate

CVE-2019-9402

A-115372550

DoS

Moderate

CVE-2019-9404

A-112923309

DoS

Moderate

CVE-2019-9425

A-110846194

DoS

Moderate

CVE-2019-9430

A-109838296

DoS

Moderate

Libxaac

The Android 9 libxaac library was marked as experimental and removed from production Android builds as part of the November 2018 Android Security Bulletin. We would like to acknowledge researchers for their findings.

The issues identified include the following CVE IDs: CVE-2019-2055, CVE-2019-2059, CVE-2019-2060, CVE-2019-2061, CVE-2019-2062, CVE-2019-2063, CVE-2019-2064, CVE-2019-2065, CVE-2019-2066, CVE-2019-2067, CVE-2019-2068, CVE-2019-2069, CVE-2019-2070, CVE-2019-2071, CVE-2019-2072, CVE-2019-2073, CVE-2019-2074, CVE-2019-2075, CVE-2019-2076, CVE-2019-2077, CVE-2019-2078, CVE-2019-2079, CVE-2019-2080, CVE-2019-2081, CVE-2019-2082, CVE-2019-2083, CVE-2019-2084, CVE-2019-2085, CVE-2019-2086, CVE-2019-2087, CVE-2019-2138, CVE-2019-2139, CVE-2019-2140, CVE-2019-2141, CVE-2019-2142, CVE-2019-2143, CVE-2019-2144, CVE-2019-2145, CVE-2019-2146, CVE-2019-2147, CVE-2019-2148, CVE-2019-2149, CVE-2019-2150, CVE-2019-2151, CVE-2019-2152, CVE-2019-2153, CVE-2019-2154, CVE-2019-2155, CVE-2019-2156, CVE-2019-2157, CVE-2019-2158, CVE-2019-2159, CVE-2019-2160, CVE-2019-2161, CVE-2019-2162, CVE-2019-2163, CVE-2019-2164, CVE-2019-2165, CVE-2019-2166, CVE-2019-2167, CVE-2019-2168, CVE-2019-2169, CVE-2019-2170, CVE-2019-2171, CVE-2019-2172, CVE-2019-9261, CVE-2019-9264, CVE-2019-9385, and CVE-2019-9391.

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device’s security patch level, see Check and update your Android version.

Android 10, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android 10 and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?
Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix

Reference

A-

Android bug ID

Versions

Version

Date

Notes

1.0

August 20, 2019

Security Release Notes published.

1.1

August 21, 2019

Minor adjustments to vulnerability tables

1.2

September 17, 2019

Updated acknowledgements and issue list

1.3

November 21, 2019

Updated issue list

1.4

February 12, 2020

Updated issue list

1.5

February 26, 2020

Updated issue list

1.6

May 11, 2020

Updated issue list

1.7

June 11, 2020

Updated issue list

1.8

January 27, 2021

Updated issue list

Related news

CVE-2022-35118: AARO-Bugs/AARO-CVE-List.md at master · Accenture/AARO-Bugs

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907