CVE-2015-1528

Android <5.1.1 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-1528. PoCs published by secmob, kanpol.

AI-analyzed exploit summary This PoC exploits CVE-2015-1528, a privilege escalation vulnerability in Android's mediaserver, surfaceflinger, and system_server components via Binder calls. It injects code into these services to escalate privileges, with hardcoded addresses for Nexus 5 (Android 5.0).

Description

Integer overflow in the native_handle_create function in libcutils/native_handle.c in Android before 5.1.1 LMY48M allows attackers to obtain a different application's privileges or cause a denial of service (Binder heap memory corruption) via a crafted application, aka internal bug 19334482.

Exploits (2)

nomisec WORKING POC 117 stars

by secmob · poc

https://github.com/secmob/PoCForCVE-2015-1528

View Code ZIP pw:eip

This PoC exploits CVE-2015-1528, a privilege escalation vulnerability in Android's mediaserver, surfaceflinger, and system_server components via Binder calls. It injects code into these services to escalate privileges, with hardcoded addresses for Nexus 5 (Android 5.0).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Android 5.0 (LRX21O) mediaserver, surfaceflinger, system_server

No auth needed

Prerequisites: Physical or local access to the target device · Busybox binary placed at /data/local/tmp/busybox · Android 5.0 (LRX21O) on Nexus 5

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by kanpol · poc

https://github.com/kanpol/PoCForCVE-2015-1528

View Code ZIP pw:eip

This PoC demonstrates privilege escalation via CVE-2015-1528, exploiting a vulnerability in Android's Binder IPC mechanism to inject code into mediaserver, surfaceflinger, and system_server processes. It includes shellcode injection and memory manipulation techniques to achieve local privilege escalation on Android 5.0.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Android 5.0 (LRX21O)

No auth needed

Prerequisites: Physical or local access to the target device · BusyBox binary placed at /data/local/tmp/busybox

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory mailing-list x_refsource_mlist

https://groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ

Vendor Advisory x_refsource_confirm

https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254

Vendor Advisory x_refsource_confirm

https://android.googlesource.com/platform/system/core/+/e8c62fb484151f76ab88b1d5130f38de24ac8c14

Various Sources x_refsource_misc

https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege.pdf

Scores

EPSS 0.0274

EPSS Percentile 84.3%

Details

CWE

CWE-189

Status published

Products (1)

google/android < 5.1

Published Oct 01, 2015

Tracked Since Feb 18, 2026