CVE-2015-6620

Android < 5.1.1 LMY48Z and 6.0 < 2015-12-01 - Privilege Escalation via libstagefright

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-6620. PoCs published by flankerhqd.

AI-analyzed exploit summary This PoC exploits CVE-2015-6620, a memory corruption vulnerability in Android's mediaserver, to achieve arbitrary code execution. It uses a combination of heap spraying and DRM session manipulation to trigger the vulnerability and gain control over program execution.

Description

libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bugs 24123723 and 24445127.

Exploits (2)

nomisec WORKING POC 52 stars
by flankerhqd · poc
https://github.com/flankerhqd/mediacodecoob

This PoC exploits CVE-2015-6620, a memory corruption vulnerability in Android's mediaserver, to achieve arbitrary code execution. It uses a combination of heap spraying and DRM session manipulation to trigger the vulnerability and gain control over program execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android mediaserver (tested on Android 5.1.1 LMY48I)
No auth needed
Prerequisites: Access to the target Android device · Ability to execute arbitrary code on the device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 38 stars
by flankerhqd · poc
https://github.com/flankerhqd/CVE-2015-6620-POC

This PoC demonstrates an arbitrary write vulnerability in Android's AMessage unmarshaling (CVE-2015-6620) by exploiting an out-of-bounds write in the `mNumItems` loop. It targets the mediaserver via the IStreamListener interface, leading to memory corruption and potential RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android mediaserver (AMessage unmarshaling in libstagefright_foundation)
No auth needed
Prerequisites: Access to an Android device with vulnerable mediaserver · Ability to run ADB commands
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

EPSS 0.0168
EPSS Percentile 74.0%

Details

CWE
CWE-264
Status published
Products (2)
google/android 6.0
google/android 5.0 - 5.1.1
Published Dec 08, 2015
Tracked Since Feb 18, 2026