{"api_version":"1","generated_at":"2026-06-10T07:41:18+00:00","cve":"CVE-2018-9521","urls":{"html":"https://cve.report/CVE-2018-9521","api":"https://cve.report/api/cve/CVE-2018-9521.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-9521","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-9521"},"summary":{"title":"CVE-2018-9521","description":"In parseMPEGCCData of NuPlayer2CCDecoder.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-111874331","state":"PUBLIC","assigner":"security@android.com","published_at":"2018-11-14 18:29:00","updated_at":"2018-12-27 14:06:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://source.android.com/security/bulletin/2018-11-01","name":"https://source.android.com/security/bulletin/2018-11-01","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Android Security Bulletin—November 2018  |  Android Open Source Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105865","name":"105865","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Google Android Media Framework Component Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-9521","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9521","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"9521","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"9521","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@android.com","ID":"CVE-2018-9521","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Android","version":{"version_data":[{"version_value":"Android-9"}]}}]},"vendor_name":"Google Inc."}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In parseMPEGCCData of NuPlayer2CCDecoder.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-111874331"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Remote code execution"}]}]},"references":{"reference_data":[{"name":"105865","refsource":"BID","url":"http://www.securityfocus.com/bid/105865"},{"name":"https://source.android.com/security/bulletin/2018-11-01","refsource":"CONFIRM","url":"https://source.android.com/security/bulletin/2018-11-01"}]}},"nvd":{"publishedDate":"2018-11-14 18:29:00","lastModifiedDate":"2018-12-27 14:06:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"9521","Ordinal":"125935","Title":"CVE-2018-9521","CVE":"CVE-2018-9521","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"9521","Ordinal":"1","NoteData":"In parseMPEGCCData of NuPlayer2CCDecoder.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-111874331","Type":"Description","Title":null},{"CveYear":"2018","CveId":"9521","Ordinal":"2","NoteData":"2018-11-14","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"9521","Ordinal":"3","NoteData":"2018-11-15","Type":"Other","Title":"Modified"}]}}}