CVE-2019-2027

HIGH

Android 7.0-9 - Remote Code Execution via Incorrect Bounds Check in floor0_inverse1

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-2027. PoCs published by codecat007.

AI-analyzed exploit summary This repository provides a technical analysis of CVE-2019-2027, a null pointer dereference vulnerability in the Vorbis multimedia decoder on Android. It includes a crash report and details about the affected library (`libvorbisidec.so`) and the fixed version.

Description

In floor0_inverse1 of floor0.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-119120561.

Exploits (1)

github WRITEUP 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/CVE-2019-2027

This repository provides a technical analysis of CVE-2019-2027, a null pointer dereference vulnerability in the Vorbis multimedia decoder on Android. It includes a crash report and details about the affected library (`libvorbisidec.so`) and the fixed version.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Android (libvorbisidec.so in media.codec)
No auth needed
Prerequisites: A vulnerable Android device (pre-April 2019 security patch) · An app that decodes Vorbis OGG files using the system decoder
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://source.android.com/security/bulletin/2019-04-01

Scores

CVSS v3 8.8
EPSS 0.0034
EPSS Percentile 57.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (6)
google/android 7.0
google/android 7.1.1
google/android 7.1.2
google/android 8.0
google/android 8.1
google/android 9.0
Published Apr 19, 2019
Tracked Since Feb 18, 2026