Headline
CVE-2019-9325: Android 10 Security Release Notes | Android Open Source Project
In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112001302
Published August 20, 2019 | Updated January 27, 2021
This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 10. Android 10 devices with a security patch level of 2019-09-01 or later are protected against these issues (Android 10, as released on AOSP, has a default security patch level of 2019-09-01). To learn how to check a device’s security patch level, see How to check and update your Android version.
Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 10 release.
The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.
Announcements
- The issues described in this document are addressed as part of Android 10. This information is provided for reference and transparency.
- We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.
Android and Google Service Mitigations
This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.
Android 10—Vulnerability details
The sections below provide details for security vulnerabilities fixed as part of Android 10. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.
Android runtime
CVE
References
Type
Severity
CVE-2019-9290
A-113039724
EoP
Moderate
CVE-2019-9429
A-110035108
EoP
Moderate
Framework
CVE
References
Type
Severity
CVE-2019-9262
A-111792351
RCE
Moderate
CVE-2019-9256
A-111921829
RCE
Moderate
CVE-2019-9280
A-119322269
EoP
Moderate
CVE-2019-2216
A-38390530
EoP
Moderate
CVE-2019-2089
A-116608833
EoP
Moderate
CVE-2019-9288
A-111363077
EoP
Moderate
CVE-2019-9384
A-120568007
EoP
Moderate
CVE-2019-9269
A-36899497
EoP
Moderate
CVE-2019-9378
A-124539196
EoP
Moderate
CVE-2019-9380
A-123700098
EoP
Moderate
CVE-2019-9407
A-112434609
EoP
Moderate
CVE-2019-2088
A-143895055
ID
Moderate
CVE-2019-2058
A-136089102
ID
Moderate
CVE-2019-9351
A-128599864
ID
Moderate
CVE-2019-9281
A-32748076
ID
Moderate
CVE-2019-9377
A-128599663
ID
Moderate
CVE-2019-9292
A-115384617
ID
Moderate
CVE-2019-9424
A-110941092
ID
Moderate
CVE-2019-9399
A-115635664
ID
Moderate
CVE-2019-9421
A-111215250
ID
Moderate
CVE-2019-9323
A-30770233
ID
Moderate
CVE-2019-9438
A-77821568
ID
Moderate
CVE-2019-9373
A-130173029
DoS
Moderate
CVE-2019-9372
A-132782448
DoS
Moderate
Library
CVE
References
Type
Severity
CVE-2019-9423
A-110986616
EoP
Moderate
CVE-2019-9459
A-79593569
EoP
Moderate
Media framework
CVE
References
Type
Severity
CVE-2019-9297
A-112890242
RCE
Moderate
CVE-2019-9298
A-112892194
RCE
Moderate
CVE-2019-9299
A-112663886
RCE
Moderate
CVE-2019-9300
A-112661610
RCE
Moderate
CVE-2019-9301
A-112663384
RCE
Moderate
CVE-2019-9302
A-112661356
RCE
Moderate
CVE-2019-9303
A-112661057
RCE
Moderate
CVE-2019-9304
A-112662270
RCE
Moderate
CVE-2019-9305
A-112661835
RCE
Moderate
CVE-2019-9306
A-112661348
RCE
Moderate
CVE-2019-9307
A-112661893
RCE
Moderate
CVE-2019-9308
A-112661742
RCE
Moderate
CVE-2019-9346
A-128433933
RCE
Moderate
CVE-2019-9357
A-112662995
RCE
Moderate
CVE-2019-9382
A-120874654
RCE
Moderate
CVE-2019-9405
A-112890225
RCE
Moderate
CVE-2019-9278
A-112537774
RCE
Moderate
CVE-2020-0086
A-131859347
EoP
Moderate
CVE-2019-9310
A-112891546
EoP
Moderate
CVE-2019-9232
A-122675483
ID
Moderate
CVE-2019-9247
A-120426166
ID
Moderate
CVE-2019-9282
A-113211371
ID
Moderate
CVE-2019-9293
A-117661116
ID
Moderate
CVE-2019-9294
A-111764444
ID
Moderate
CVE-2019-9313
A-112005441
ID
Moderate
CVE-2019-9314
A-112329563
ID
Moderate
CVE-2019-9315
A-112326216
ID
Moderate
CVE-2019-9316
A-112052432
ID
Moderate
CVE-2019-9317
A-112052258
ID
Moderate
CVE-2019-9318
A-111764725
ID
Moderate
CVE-2019-9319
A-111762100
ID
Moderate
CVE-2019-9320
A-111761624
ID
Moderate
CVE-2019-9321
A-111208713
ID
Moderate
CVE-2019-9322
A-111128067
ID
Moderate
CVE-2019-9325
A-112001302
ID
Moderate
CVE-2019-9334
A-112859934
ID
Moderate
CVE-2019-9335
A-112328051
ID
Moderate
CVE-2019-9336
A-112326322
ID
Moderate
CVE-2019-9337
A-112204376
ID
Moderate
CVE-2019-9338
A-111762686
ID
Moderate
CVE-2019-9347
A-109891727
ID
Moderate
CVE-2019-9359
A-111407302
ID
Moderate
CVE-2019-9361
A-111762807
ID
Moderate
CVE-2019-9362
A-120426980
ID
Moderate
CVE-2019-9364
A-73364631
ID
Moderate
CVE-2019-9366
A-112052062
ID
Moderate
CVE-2019-9370
A-133880046
ID
Moderate
CVE-2019-9406
A-112552517
ID
Moderate
CVE-2019-9408
A-112380157
ID
Moderate
CVE-2019-9409
A-112272091
ID
Moderate
CVE-2019-9410
A-112204443
ID
Moderate
CVE-2019-9411
A-112204845
ID
Moderate
CVE-2019-9412
A-112006096
ID
Moderate
CVE-2019-9415
A-111805098
ID
Moderate
CVE-2019-9416
A-111804142
ID
Moderate
CVE-2019-9433
A-80479354
ID
Moderate
CVE-2019-9252
A-73339042
ID
Moderate
CVE-2019-9268
A-77474014
DoS
Moderate
CVE-2020-0088
A-124389881
DoS
Moderate
CVE-2019-9283
A-112663564
DoS
Moderate
CVE-2019-9348
A-128431761
DoS
Moderate
CVE-2019-9349
A-124330204
DoS
Moderate
CVE-2019-9352
A-124253062
DoS
Moderate
CVE-2019-9371
A-132783254
DoS
Moderate
CVE-2019-9379
A-124329638
DoS
Moderate
CVE-2019-9418
A-111450210
DoS
Moderate
CVE-2019-9420
A-111272481
DoS
Moderate
System
CVE
References
Type
Severity
CVE-2019-9475
A-9496886
ID
High
CVE-2019-9363
A-123584306
RCE
Moderate
CVE-2019-9365
A-109838537
RCE
Moderate
CVE-2018-9425
A-73884967
EoP
Moderate
CVE-2019-9463
A-113584607
EoP
Moderate
CVE-2019-9291
A-112159179
EoP
Moderate
CVE-2019-9386
A-122361874
EoP
Moderate
CVE-2019-9375
A-129344244
EoP
Moderate
CVE-2019-9238
A-121267042
EoP
Moderate
CVE-2019-9257
A-113572342
EoP
Moderate
CVE-2019-9258
A-113655028
EoP
Moderate
CVE-2019-9259
A-113575306
EoP
Moderate
CVE-2019-9263
A-73136824
EoP
Moderate
CVE-2019-9266
A-119501435
EoP
Moderate
CVE-2019-9295
A-36885811
EoP
Moderate
CVE-2019-9309
A-117985575
EoP
Moderate
CVE-2019-9350
A-129562815
EoP
Moderate
CVE-2019-9358
A-120156401
EoP
Moderate
CVE-2018-9489
A-77286245
ID
Moderate
CVE-2019-9473
A-115363533
ID
Moderate
CVE-2019-9474
A-79996267
ID
Moderate
CVE-2019-9440
A-37637796
ID
Moderate
CVE-2019-9277
A-68016944
ID
Moderate
CVE-2019-9233
A-122529021
ID
Moderate
CVE-2019-9234
A-122465453
ID
Moderate
CVE-2019-9235
A-122323053
ID
Moderate
CVE-2019-9236
A-122322613
ID
Moderate
CVE-2019-9237
A-121325979
ID
Moderate
CVE-2019-9239
A-121263487
ID
Moderate
CVE-2019-9240
A-121150966
ID
Moderate
CVE-2019-9241
A-121036603
ID
Moderate
CVE-2019-9242
A-121035878
ID
Moderate
CVE-2019-9243
A-120905706
ID
Moderate
CVE-2019-9244
A-120865977
ID
Moderate
CVE-2019-9246
A-120428637
ID
Moderate
CVE-2019-9249
A-120255805
ID
Moderate
CVE-2019-9250
A-120276962
ID
Moderate
CVE-2019-9251
A-120274615
ID
Moderate
CVE-2019-9253
A-109769728
ID
Moderate
CVE-2019-9260
A-113495295
ID
Moderate
CVE-2019-9265
A-37994606
ID
Moderate
CVE-2019-9272
A-11596047
ID
Moderate
CVE-2019-9284
A-111850706
ID
Moderate
CVE-2019-9287
A-78287084
ID
Moderate
CVE-2019-9289
A-79883824
ID
Moderate
CVE-2018-9581
A-111698366
ID
Moderate
CVE-2019-9296
A-112162089
ID
Moderate
CVE-2019-9312
A-78288018
ID
Moderate
CVE-2019-9326
A-111215173
ID
Moderate
CVE-2019-9328
A-111895000
ID
Moderate
CVE-2019-9329
A-112917952
ID
Moderate
CVE-2019-9332
A-78286500
ID
Moderate
CVE-2019-9333
A-109753657
ID
Moderate
CVE-2019-9344
A-120845341
ID
Moderate
CVE-2019-9353
A-123024201
ID
Moderate
CVE-2019-9354
A-118148142
ID
Moderate
CVE-2019-9355
A-115903122
ID
Moderate
CVE-2019-9356
A-111699773
ID
Moderate
CVE-2019-9360
A-120610663
ID
Moderate
CVE-2019-9368
A-79883568
ID
Moderate
CVE-2019-9369
A-79995407
ID
Moderate
CVE-2019-9381
A-122677612
ID
Moderate
CVE-2019-9383
A-120843827
ID
Moderate
CVE-2019-9387
A-117569833
ID
Moderate
CVE-2019-9388
A-117567437
ID
Moderate
CVE-2019-9403
A-113512324
ID
Moderate
CVE-2019-9414
A-111893041
ID
Moderate
CVE-2019-9427
A-110166350
ID
Moderate
CVE-2019-9431
A-109755179
ID
Moderate
CVE-2019-9432
A-80546108
ID
Moderate
CVE-2019-9434
A-80432895
ID
Moderate
CVE-2019-9435
A-80146682
ID
Moderate
CVE-2019-9330
A-111214739
ID
Moderate
CVE-2019-9331
A-112272279
ID
Moderate
CVE-2019-9341
A-111214770
ID
Moderate
CVE-2019-9342
A-111214470
ID
Moderate
CVE-2019-9343
A-112050983
ID
Moderate
CVE-2019-9367
A-112106425
ID
Moderate
CVE-2019-9413
A-111935831
ID
Moderate
CVE-2019-9417
A-111450079
ID
Moderate
CVE-2019-9419
A-111407544
ID
Moderate
CVE-2019-9422
A-111214766
ID
Moderate
CVE-2020-0236
A-79703353
ID
Moderate
CVE-2019-9279
A-110476382
DoS
Moderate
CVE-2019-9285
A-111215315
DoS
Moderate
CVE-2019-9286
A-111213909
DoS
Moderate
CVE-2019-9311
A-79431031
DoS
Moderate
CVE-2019-9327
A-112050583
DoS
Moderate
CVE-2019-9462
A-91544774
DoS
Moderate
CVE-2019-9389
A-117567058
DoS
Moderate
CVE-2019-9390
A-117551475
DoS
Moderate
CVE-2019-9393
A-116357965
DoS
Moderate
CVE-2019-9394
A-116351796
DoS
Moderate
CVE-2019-9395
A-116267405
DoS
Moderate
CVE-2019-9396
A-115747155
DoS
Moderate
CVE-2019-9397
A-115747410
DoS
Moderate
CVE-2019-9398
A-115745406
DoS
Moderate
CVE-2019-9400
A-115509589
DoS
Moderate
CVE-2019-9401
A-115375248
DoS
Moderate
CVE-2019-9402
A-115372550
DoS
Moderate
CVE-2019-9404
A-112923309
DoS
Moderate
CVE-2019-9425
A-110846194
DoS
Moderate
CVE-2019-9430
A-109838296
DoS
Moderate
Libxaac
The Android 9 libxaac library was marked as experimental and removed from production Android builds as part of the November 2018 Android Security Bulletin. We would like to acknowledge researchers for their findings.
The issues identified include the following CVE IDs: CVE-2019-2055, CVE-2019-2059, CVE-2019-2060, CVE-2019-2061, CVE-2019-2062, CVE-2019-2063, CVE-2019-2064, CVE-2019-2065, CVE-2019-2066, CVE-2019-2067, CVE-2019-2068, CVE-2019-2069, CVE-2019-2070, CVE-2019-2071, CVE-2019-2072, CVE-2019-2073, CVE-2019-2074, CVE-2019-2075, CVE-2019-2076, CVE-2019-2077, CVE-2019-2078, CVE-2019-2079, CVE-2019-2080, CVE-2019-2081, CVE-2019-2082, CVE-2019-2083, CVE-2019-2084, CVE-2019-2085, CVE-2019-2086, CVE-2019-2087, CVE-2019-2138, CVE-2019-2139, CVE-2019-2140, CVE-2019-2141, CVE-2019-2142, CVE-2019-2143, CVE-2019-2144, CVE-2019-2145, CVE-2019-2146, CVE-2019-2147, CVE-2019-2148, CVE-2019-2149, CVE-2019-2150, CVE-2019-2151, CVE-2019-2152, CVE-2019-2153, CVE-2019-2154, CVE-2019-2155, CVE-2019-2156, CVE-2019-2157, CVE-2019-2158, CVE-2019-2159, CVE-2019-2160, CVE-2019-2161, CVE-2019-2162, CVE-2019-2163, CVE-2019-2164, CVE-2019-2165, CVE-2019-2166, CVE-2019-2167, CVE-2019-2168, CVE-2019-2169, CVE-2019-2170, CVE-2019-2171, CVE-2019-2172, CVE-2019-9261, CVE-2019-9264, CVE-2019-9385, and CVE-2019-9391.
Common questions and answers
This section answers common questions that may occur after reading this bulletin.
1. How do I determine if my device is updated to address these issues?
To learn how to check a device’s security patch level, see Check and update your Android version.
Android 10, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android 10 and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes.
2. What do the entries in the Type column mean?
Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.
Abbreviation
Definition
RCE
Remote code execution
EoP
Elevation of privilege
ID
Information disclosure
DoS
Denial of service
N/A
Classification not available
3. What do the entries in the References column mean?
Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.
Prefix
Reference
A-
Android bug ID
Versions
Version
Date
Notes
1.0
August 20, 2019
Security Release Notes published.
1.1
August 21, 2019
Minor adjustments to vulnerability tables
1.2
September 17, 2019
Updated acknowledgements and issue list
1.3
November 21, 2019
Updated issue list
1.4
February 12, 2020
Updated issue list
1.5
February 26, 2020
Updated issue list
1.6
May 11, 2020
Updated issue list
1.7
June 11, 2020
Updated issue list
1.8
January 27, 2021
Updated issue list
Related news
PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.