CVE-2015-3864

Android < 5.1.1 - Remote Code Execution via Crafted MPEG-4 Data

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2015-3864. PoCs published by Metasploit, Google Security Research, NorthBit, including Metasploit module exploits/android/browser/stagefright_mp4_tx3g_64bit.

AI-analyzed exploit summary This Metasploit module exploits an integer overflow in Android's Stagefright library (CVE-2015-3864) via a crafted MP4 file delivered through an HTML5 browser. It uses a two-stage information leak to bypass ASLR and achieve remote code execution on vulnerable devices.

Description

Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.

Exploits (9)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteandroid
https://www.exploit-db.com/exploits/40436

This Metasploit module exploits an integer overflow in Android's Stagefright library (CVE-2015-3864) via a crafted MP4 file delivered through an HTML5 browser. It uses a two-stage information leak to bypass ASLR and achieve remote code execution on vulnerable devices.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android Stagefright Library (libstagefright.so) on various Android versions (5.0-5.1.1)
No auth needed
Prerequisites: Target device with vulnerable Android version · HTML5-compliant browser · Network access to deliver malicious MP4 file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · pythonremoteandroid
https://www.exploit-db.com/exploits/38226

This exploit targets CVE-2015-3864, a vulnerability in Android's mediaserver, using heap grooming and ROP chains to achieve arbitrary code execution. It leverages memory corruption via a crafted MP4 file to execute shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android mediaserver (versions affected by CVE-2015-3864)
No auth needed
Prerequisites: Crafted MP4 file delivery to the target device · Vulnerable Android mediaserver version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by NorthBit · textremoteandroid
https://www.exploit-db.com/exploits/39640

Metaphor is a Python-based exploit generator for CVE-2015-3864, targeting Stagefright in Android 5.0.1 (Nexus 5). It generates MP4 files to bypass ASLR and achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android Stagefright (Android 5.0.1, Nexus 5 Build LRX22C)
No auth needed
Prerequisites: Target device running vulnerable Android version · Delivery mechanism for malicious MP4 file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 17 stars
by eudemonics · poc
https://github.com/eudemonics/scaredycat

This is a Python script that generates a malicious MP4 file exploiting CVE-2015-3864 (Stagefright integer overflow vulnerability) and hosts it via a web server. It includes ROP gadget discovery and shellcode injection capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android (Stagefright library)
No auth needed
Prerequisites: libc.so file (typically from Android device) · shellcode payload · Python with pwntools and cherrypy
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 3 stars
by pwnaccelerator · poc
https://github.com/pwnaccelerator/stagefright-cve-2015-3864

This repository contains a README describing binary patches for CVE-2015-3864, a vulnerability in Android's Stagefright library. It does not include exploit code but provides context for mitigating the issue.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Android Stagefright library (versions affected by CVE-2015-3864)
No auth needed
Prerequisites: Access to apply binary patches
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Bhathiya404 · poc
https://github.com/Bhathiya404/Exploiting-Stagefright-Vulnerability-CVE-2015-3864

This repository contains a README describing the exploitation of CVE-2015-3864, a Stagefright vulnerability in Android versions 2.2 through 5.1.1. It mentions remote code execution and privilege escalation but lacks actual exploit code or technical details.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Android 2.2 Froyo through 5.1.1 Lollipop
No auth needed
Prerequisites: Android device running vulnerable version · Delivery mechanism for malicious media file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by HenryVHuang · poc
https://github.com/HenryVHuang/CVE-2015-3864

This PoC generates malformed MP4 files to trigger a buffer overflow in the target software, specifically exploiting CVE-2015-3864. The scripts create MP4 files with crafted metadata to demonstrate the vulnerability.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Mediaserver in Android versions prior to 5.1.1 LMY48M
No auth needed
Prerequisites: Ability to deliver the crafted MP4 file to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by jduck, NorthBit · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb

This Metasploit module exploits an integer overflow vulnerability in Android's Stagefright library (CVE-2015-3864) via a crafted MP4 file delivered through an HTML5 browser. It uses a two-stage information leak to bypass ASLR and construct a ROP chain for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android Stagefright Library (libstagefright.so) on various Android versions (5.0-5.1.1)
No auth needed
Prerequisites: Target device with vulnerable Android version · HTML5-compliant browser · Network access to deliver the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38226/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76682
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40436/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39640/

Scores

EPSS 0.8712
EPSS Percentile 99.7%

Details

CWE
CWE-189
Status published
Products (1)
google/android < 5.1
Published Oct 01, 2015
Tracked Since Feb 18, 2026