In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774
Conclusion & alert: CVE-2019-9278 is rated High Risk (66.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 4.06%). Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 3.75% | 4.06% | +0.31% |
| 2 | 2025-12-28 | 2.59% | 3.75% | +1.16% |
| 3 | 2025-12-27 | — | 2.59% | — |
Full EPSS history (27 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
high | CVE-2019-9278: 1 source package rows (libexif); 10 state rows across 10 repos (3.10-main, 3.11-main, 3.12-main, 3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 10, open 0. | https://security.alpinelinux.org/vuln/CVE-2019-9278 |
debian
|
not yet assigned | CVE-2019-9278 not yet assigned priority: Debian including 1 source packages (libexif), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2019-9278 |
gentoo
|
normal | CVE-2019-9278: 1 GLSA(s) (202007-05), 1 atom(s) (media-libs/libexif); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2019-9278 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2019-9278 |
suse
|
high | CVE-2019-9278 severity important: SUSE including 31 source package names (libexif-0.6.17-2.14.7.2, libexif-0.6.22-1.el7, …), 105 product×package rows across 57 product lines (HPE Helion OpenStack 8, SUSE Enterprise Storage 5, … (57 product lines)): Fixed 105. | https://www.suse.com/security/cve/CVE-2019-9278/ |
ubuntu
|
medium | CVE-2019-9278 medium priority: Ubuntu including 1 source packages (libexif), 6 status rows across 6 suites (bionic, disco, eoan, trusty, upstream, xenial): released 4, ignored 1, needs-triage 1. | https://ubuntu.com/security/CVE-2019-9278 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| android | 10.0 | cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:* | |
| opensuse | leap | 15.1 | cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* |
| fedoraproject | fedora | 31 | cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* |
| fedoraproject | fedora | 32 | cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| debian | debian_linux | 10.0 | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 12.04 | cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 14.04 | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* |
| canonical | ubuntu_linux | 16.04 | cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* |
| canonical | ubuntu_linux | 18.04 | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 19.10 | cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:* |