CVE-2019-10522

Q: What is the severity of CVE-2019-10522?

CVE-2019-10522 has a CVSS score of 9.8 (CRITICAL). This is a buffer overflow vulnerability in Qualcomm Snapdragon chipsets when parsing nonstandard media clips. Attackers can execute arbitrary code on affected devices by tricking users into playing malicious media files. The vulnerability affects a wide range of Qualcomm-powered devices across automotive, mobile, IoT, and wearable platforms.

9.8 CRITICAL

Remote Code Execution Buffer Overflow

📋 TL;DR

This is a buffer overflow vulnerability in Qualcomm Snapdragon chipsets when parsing nonstandard media clips. Attackers can execute arbitrary code on affected devices by tricking users into playing malicious media files. The vulnerability affects a wide range of Qualcomm-powered devices across automotive, mobile, IoT, and wearable platforms.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: Multiple chipset versions including MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

Operating Systems: Android (Qualcomm-based devices)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using vulnerable Qualcomm chipsets with media playback capabilities. The vulnerability is in the chipset firmware/drivers, not the OS itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with kernel privileges leading to complete device compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Application crash or denial of service, with potential for limited code execution in media processing context.

🟢

If Mitigated

Application sandboxing may contain the exploit to the media player process only.

🌐 Internet-Facing: HIGH - Malicious media files can be delivered via web, email, messaging apps, or network shares.

🏢 Internal Only: MEDIUM - Still exploitable via internal file shares or compromised internal services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to play malicious media, but no authentication is needed. The buffer overflow (CWE-120) suggests reliable exploitation is possible with proper crafting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patches from October 2019 onward

Vendor Advisory: https://source.android.com/security/bulletin/2019-10-01

Restart Required: Yes

Instructions:

1. Check for Android security updates from device manufacturer. 2. Apply October 2019 or later security patch level. 3. Reboot device after update. 4. Verify patch level in Settings > About phone > Android security patch level.

🔧 Temporary Workarounds

Disable automatic media playback

all

Prevent automatic playback of media files in browsers and messaging apps

Use trusted media sources only

all

Restrict media playback to trusted applications and sources

🧯 If You Can't Patch

Isolate affected devices from untrusted networks and internet access
Implement application allowlisting to restrict which apps can play media files

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone. If before October 2019, device is likely vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is October 2019 or later. Check Qualcomm chipset version matches patched list.

📡 Detection & Monitoring

Log Indicators:

Media player crashes with segmentation faults
Kernel panic logs related to media processing
Unusual process spawning from media applications

Network Indicators:

Downloads of unusual media file types
Outbound connections from media apps to unknown destinations

SIEM Query:

source="android_logs" AND (event="segmentation fault" OR event="kernel panic") AND process="media.*"

📊 Metadata

CVE ID: CVE-2019-10522

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: November 6, 2019

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/ Third Party Advisory
https://source.android.com/security/bulletin/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mdm9206 Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8996au Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qcs405 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qualcomm 215 Firmware by Qualcomm

Sd 205 Firmware by Qualcomm

Sd 210 Firmware by Qualcomm

Sd 212 Firmware by Qualcomm

Sd 415 Firmware by Qualcomm

Sd 425 Firmware by Qualcomm

Sd 427 Firmware by Qualcomm

Sd 429 Firmware by Qualcomm

Sd 430 Firmware by Qualcomm

Sd 435 Firmware by Qualcomm

Sd 439 Firmware by Qualcomm

Sd 450 Firmware by Qualcomm

Sd 600 Firmware by Qualcomm

Sd 615 Firmware by Qualcomm

Sd 616 Firmware by Qualcomm

Sd 625 Firmware by Qualcomm

Sd 632 Firmware by Qualcomm

Sd 636 Firmware by Qualcomm

Sd 665 Firmware by Qualcomm

Sd 670 Firmware by Qualcomm

Sd 675 Firmware by Qualcomm

Sd 710 Firmware by Qualcomm

Sd 712 Firmware by Qualcomm

Sd 730 Firmware by Qualcomm

Sd 820 Firmware by Qualcomm

Sd 820a Firmware by Qualcomm

Sd 835 Firmware by Qualcomm

Sd 845 Firmware by Qualcomm

Sd 850 Firmware by Qualcomm

Sd 855 Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm630 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm