Login Sign Up

CVE-2021-39762

7.5 HIGH

📋 TL;DR

CVE-2021-39762 is an integer overflow vulnerability in Android's tremolo audio decoder that could allow remote attackers to read memory beyond intended boundaries. This could lead to information disclosure without requiring user interaction or additional privileges. Only Android 12L devices are affected.

💻 Affected Systems

Products:
  • Android
Versions: Android 12L only
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices running Android 12L. The vulnerability is in the tremolo audio decoder component.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker could read sensitive memory contents from the tremolo audio decoder process, potentially exposing cryptographic keys, authentication tokens, or other protected data.

🟠

Likely Case

Information disclosure of limited memory contents from the audio decoder process, potentially revealing system information or application data.

🟢

If Mitigated

No impact if patched or if affected component is not exposed to untrusted audio files.

🌐 Internet-Facing: MEDIUM - Exploitable via malicious audio files delivered through web, email, or messaging apps, but requires specific audio processing.
🏢 Internal Only: LOW - Same attack vectors apply internally, but internal networks typically have more controls.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

No authentication required, but exploitation requires delivering a specially crafted audio file to trigger the integer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Bulletin for Android 12L (March 2022 or later)

Vendor Advisory: https://source.android.com/security/bulletin/android-12l

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the latest security update. 3. Reboot the device after installation.

🔧 Temporary Workarounds

Disable automatic media processing

android

Prevent automatic processing of audio files from untrusted sources

Use alternative audio players

android

Use third-party audio players that don't use the vulnerable tremolo decoder

🧯 If You Can't Patch

  • Restrict access to audio files from untrusted sources
  • Implement network filtering to block malicious audio file delivery

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If it shows Android 12L and security patch level is before March 2022, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android version is 12L with security patch level March 2022 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Audio decoder crashes
  • Memory access violations in media server logs

Network Indicators:

  • Unusual audio file downloads
  • Suspicious media file transfers

SIEM Query:

source="android_logs" AND (process="mediaserver" OR process="audioserver") AND (event="crash" OR event="segfault")

📊 Metadata

CVE ID: CVE-2021-39762
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-190
Published: March 30, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39762, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)