Overview
The Samsung Qmage codec used in the Android Skia library does not properly validate image files. A number of memory corruption vulnerabilities allow an attacker to execute arbitrary code by causing a vulnerable system to parse a Qmage file.
Description
The Samsung May 2020 Android Security Update notes that "a possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution." Samsung identifies this vulnerability as SVE-2020-16747, more commonly known as CVE-2020-8899. Google Project Zero performed extensive fuzz testing on the Qmage (or Quram, or qmg) code that Samsung added to the Android Skia library and identified 5218 uniquely crashing test cases. At least one of these memory corruption vulnerabilities can be exploited by sending a specially crafted MMS message to a vulnerable system. Samsung notes that versions O(8.X), P(9.0), Q(10.0) are affected. |
Impact
Exploitation of this vulnerability permits a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. |
Solution
Apply an update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 7.8 | E:POC/RL:OF/RC:ND |
| Environmental | 7.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This vulnerability was published by Mateusz Jurczyk at Google Project Zero.
This document was written by Eric Hatleback.
Other Information
| CVE IDs: | CVE-2020-8899 |
| Date Public: | 2020-01-28 |
| Date First Published: | 2020-05-14 |
| Date Last Updated: | 2020-05-15 14:53 UTC |
| Document Revision: | 12 |