{"api_version":"1","generated_at":"2026-04-23T00:39:43+00:00","cve":"CVE-2019-9278","urls":{"html":"https://cve.report/CVE-2019-9278","api":"https://cve.report/api/cve/CVE-2019-9278.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-9278","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-9278"},"summary":{"title":"CVE-2019-9278","description":"In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774","state":"PUBLIC","assigner":"security@android.com","published_at":"2019-09-27 19:15:00","updated_at":"2023-11-07 03:13:00"},"problem_types":["CWE-787","CWE-190"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/","name":"FEDORA-2020-b4db792558","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: libexif-0.6.22-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566","name":"https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566","refsource":"CONFIRM","tags":[],"title":"fix CVE-2019-9278 · libexif/libexif@75aa732 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html","name":"openSUSE-SU-2020:0793","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0793-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2020/dsa-4618","name":"DSA-4618","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4618-1 libexif","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/","name":"FEDORA-2020-085150ac6e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 31 Update: libexif-0.6.22-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/10/27/1","name":"[oss-security] 20191026 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?","refsource":"MLIST","tags":[],"title":"oss-security - Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2020/Feb/9","name":"20200210 [SECURITY] [DSA 4618-1] libexif security update","refsource":"BUGTRAQ","tags":[],"title":"Bugtraq: [SECURITY] [DSA 4618-1] libexif security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202007-05","name":"GLSA-202007-05","refsource":"GENTOO","tags":[],"title":"libexif: Multiple vulnerabilities (GLSA 202007-05) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/","name":"FEDORA-2020-085150ac6e","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: libexif-0.6.22-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/libexif/libexif/issues/26","name":"https://github.com/libexif/libexif/issues/26","refsource":"CONFIRM","tags":[],"title":"Relevant commit for CVE-2019-9278 · Issue #26 · libexif/libexif · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/11/07/1","name":"[oss-security] 20191107 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?","refsource":"MLIST","tags":[],"title":"oss-security - Re: Security fixes from Android 10 release which are\n relevant outside the Android ecosystem?","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/","name":"FEDORA-2020-b4db792558","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: libexif-0.6.22-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://source.android.com/security/bulletin/android-10","name":"https://source.android.com/security/bulletin/android-10","refsource":"MISC","tags":["Vendor Advisory"],"title":"Android 10 Security Release Notes  |  Android Open Source Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/10/25/17","name":"[oss-security] 20191025 Security fixes from Android 10 release which are relevant outside the Android ecosystem?","refsource":"MLIST","tags":[],"title":"oss-security - Security fixes from Android 10 release which are relevant outside\n the Android ecosystem?","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html","name":"openSUSE-SU-2020:0264","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0264-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00007.html","name":"[debian-lts-announce] 20200210 [SECURITY] [DLA 2100-1] libexif security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2100-1] libexif security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/4277-1/","name":"USN-4277-1","refsource":"UBUNTU","tags":[],"title":"USN-4277-1: libexif vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-9278","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-9278","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-9278","qid":"296075","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)"},{"cve":"CVE-2019-9278","qid":"377246","title":"Alibaba Cloud Linux Security Update for libexif (ALINUX2-SA-2020:0157)"},{"cve":"CVE-2019-9278","qid":"500291","title":"Alpine Linux Security Update for libexif"},{"cve":"CVE-2019-9278","qid":"690461","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for libexif (cff0b2e2-0716-11eb-9e5d-08002728f74c)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-9278","ASSIGNER":"security@android.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"Android","version":{"version_data":[{"version_value":"Android-10"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Remote code execution"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://source.android.com/security/bulletin/android-10","url":"https://source.android.com/security/bulletin/android-10"},{"refsource":"MLIST","name":"[oss-security] 20191025 Security fixes from Android 10 release which are relevant outside the Android ecosystem?","url":"http://www.openwall.com/lists/oss-security/2019/10/25/17"},{"refsource":"MLIST","name":"[oss-security] 20191026 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?","url":"http://www.openwall.com/lists/oss-security/2019/10/27/1"},{"refsource":"MLIST","name":"[oss-security] 20191107 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?","url":"http://www.openwall.com/lists/oss-security/2019/11/07/1"},{"refsource":"DEBIAN","name":"DSA-4618","url":"https://www.debian.org/security/2020/dsa-4618"},{"refsource":"MLIST","name":"[debian-lts-announce] 20200210 [SECURITY] [DLA 2100-1] libexif security update","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00007.html"},{"refsource":"BUGTRAQ","name":"20200210 [SECURITY] [DSA 4618-1] libexif security update","url":"https://seclists.org/bugtraq/2020/Feb/9"},{"refsource":"CONFIRM","name":"https://github.com/libexif/libexif/issues/26","url":"https://github.com/libexif/libexif/issues/26"},{"refsource":"CONFIRM","name":"https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566","url":"https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566"},{"refsource":"UBUNTU","name":"USN-4277-1","url":"https://usn.ubuntu.com/4277-1/"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0264","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0793","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"},{"refsource":"FEDORA","name":"FEDORA-2020-b4db792558","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/"},{"refsource":"FEDORA","name":"FEDORA-2020-085150ac6e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/"},{"refsource":"GENTOO","name":"GLSA-202007-05","url":"https://security.gentoo.org/glsa/202007-05"}]},"description":{"description_data":[{"lang":"eng","value":"In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774"}]}},"nvd":{"publishedDate":"2019-09-27 19:15:00","lastModifiedDate":"2023-11-07 03:13:00","problem_types":["CWE-787","CWE-190"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"9278","Ordinal":"147142","Title":"CVE-2019-9278","CVE":"CVE-2019-9278","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"9278","Ordinal":"1","NoteData":"In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774","Type":"Description","Title":null},{"CveYear":"2019","CveId":"9278","Ordinal":"2","NoteData":"2019-09-27","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"9278","Ordinal":"3","NoteData":"2020-07-26","Type":"Other","Title":"Modified"}]}}}