{"id":"ASB-A-427113482","details":"In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-427113482","CVE-2025-48592"],"modified":"2026-04-03T15:37:31.002635Z","published":"2025-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/8febdebcb5e8736ec013a7d64e70f50e87649b52"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2025-12-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/ba571df05a6e65545dbda4c9988c2bc23aae8f16"],"types":["ID"],"severity":"High","vanir_signatures":[{"deprecated":false,"target":{"file":"media/codec2/components/dav1d/C2SoftDav1dDec.cpp","function":"C2SoftDav1dDec::initDecoder"},"id":"ASB-A-427113482-8b02cc06","signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ba571df05a6e65545dbda4c9988c2bc23aae8f16","digest":{"function_hash":"25058861448546541125187266146201091443","length":956}},{"deprecated":false,"target":{"file":"media/codec2/components/dav1d/C2SoftDav1dDec.cpp"},"id":"ASB-A-427113482-e7c61139","signature_type":"Line","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ba571df05a6e65545dbda4c9988c2bc23aae8f16","digest":{"threshold":0.9,"line_hashes":["194601266704142360724374613269733820402","153098406477915171747020160464923082297","246323934513271302578435165879924546964","139973620746190050113620590758254972576"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-427113482.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-12-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/25c66cbc720dd6c28aa1abe32eecda1ea4878328"],"types":["ID"],"severity":"High","vanir_signatures":[{"deprecated":false,"target":{"file":"media/codec2/components/dav1d/C2SoftDav1dDec.cpp"},"id":"ASB-A-427113482-5675d6e9","signature_type":"Line","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/25c66cbc720dd6c28aa1abe32eecda1ea4878328","digest":{"threshold":0.9,"line_hashes":["194601266704142360724374613269733820402","153098406477915171747020160464923082297","246323934513271302578435165879924546964","139973620746190050113620590758254972576"]}},{"deprecated":false,"target":{"file":"media/codec2/components/dav1d/C2SoftDav1dDec.cpp","function":"C2SoftDav1dDec::initDecoder"},"id":"ASB-A-427113482-752f63b3","signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/25c66cbc720dd6c28aa1abe32eecda1ea4878328","digest":{"function_hash":"25058861448546541125187266146201091443","length":956}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-427113482.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2025-12-01"}]}],"versions":["16"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/ea4bc6759153ef0ceadc7a802bad4b50d8012ba3"],"types":["ID"],"severity":"High","vanir_signatures":[{"deprecated":false,"target":{"file":"media/codec2/components/dav1d/C2SoftDav1dDec.cpp"},"id":"ASB-A-427113482-134fbe9f","signature_type":"Line","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ea4bc6759153ef0ceadc7a802bad4b50d8012ba3","digest":{"threshold":0.9,"line_hashes":["194601266704142360724374613269733820402","153098406477915171747020160464923082297","246323934513271302578435165879924546964","139973620746190050113620590758254972576"]}},{"deprecated":false,"target":{"file":"media/codec2/components/dav1d/C2SoftDav1dDec.cpp","function":"C2SoftDav1dDec::initDecoder"},"id":"ASB-A-427113482-a82a6f6b","signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ea4bc6759153ef0ceadc7a802bad4b50d8012ba3","digest":{"function_hash":"25058861448546541125187266146201091443","length":956}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-427113482.json"}}],"schema_version":"1.7.5"}