CVE-2019-2107

HIGH

Android 7.0-9 - Out-of-bounds Write in ihevcd_parse_pps

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2019-2107. PoCs published by Marcin Kozlowski, infiniteLoopers, atm98.

AI-analyzed exploit summary The provided text describes CVE-2019-2107, a vulnerability in Android 7-9 affecting the HVEC (H.265) decoder, allowing remote code execution via a crafted video file with tiles enabled. The PoC is referenced as a separate downloadable file.

Description

In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.

Exploits (5)

exploitdb WRITEUP

by Marcin Kozlowski · textremoteandroid

https://www.exploit-db.com/exploits/47157

View Code ZIP pw:eip

The provided text describes CVE-2019-2107, a vulnerability in Android 7-9 affecting the HVEC (H.265) decoder, allowing remote code execution via a crafted video file with tiles enabled. The PoC is referenced as a separate downloadable file.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Android 7-9 (HVEC decoder)

No auth needed

Prerequisites: Crafted video file with tiles enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Marcin Kozlowski · textdosandroid

https://www.exploit-db.com/exploits/47119

View Code ZIP pw:eip

This exploit demonstrates a remote code execution (RCE) vulnerability in Android's HEVC (H.265) decoder via a crafted video file with invalid tile widths. The PoC triggers a crash in the mediacodec process, potentially leading to arbitrary code execution under the mediacodec user context.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Android HEVC decoder (OMX.google.hevc.decoder)

No auth needed

Prerequisites: Crafted HEVC video file with invalid tile widths

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 4 stars

by infiniteLoopers · poc

https://github.com/infiniteLoopers/CVE-2019-2107

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2019-2107, a vulnerability in the HEVC (H.265) decoder that can lead to RCE on Android devices. It includes crash logs, proof-of-concept video files, and insights into the exploitation process, but does not contain functional exploit code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: Android (HEVC decoder, specifically OMX.google.hevc.decoder)

No auth needed

Prerequisites: Crafted HEVC video file with invalid tile widths · Target device must process the malicious video file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab WRITEUP

by atm98 · poc

https://gitlab.com/atm98/CVE-2019-2107

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2019-2107, a vulnerability in the HEVC (H.265) decoder affecting Android devices. It includes logs, crash dumps, and references to specific code paths in FFmpeg and Android's media framework, demonstrating an understanding of the root cause involving invalid tile widths in HEVC video parsing.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Android (HEVC decoder, e.g., OMX.google.hevc.decoder)

No auth needed

Prerequisites: crafted HEVC video file with invalid tile widths

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WRITEUP

by CrackerCat · poc

https://github.com/CrackerCat/CVE-2019-2107

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2019-2107, a vulnerability in the HEVC (H.265) decoder affecting Android devices. It includes crash logs, proof-of-concept video files, and explanations of the root cause involving invalid tile widths in HEVC video parsing.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Android (HEVC decoder, specifically OMX.google.hevc.decoder)

No auth needed

Prerequisites: A crafted HEVC video file with invalid tile widths

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://source.android.com/security/bulletin/2019-07-01

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/153628/Android-VideoPlayer-ihevcd_parse_pps-Out-Of-Bounds-Write.html

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/Jul/18

Scores

CVSS v3 8.8

EPSS 0.4305

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (6)

google/android 7.0

google/android 7.1.1

google/android 7.1.2

google/android 8.0

google/android 8.1

google/android 9.0

Published Jul 08, 2019

Tracked Since Feb 18, 2026