Android System heap buffer overflow RCE in Media Codecs Mainline

This repository is a compact exploit/reproduction kit for CVE-2026-0006, a heap buffer overflow in libopenapv as integrated into Android 16's APV decoder path. It is not part of a larger exploit framework. The repository contains one delivery/generation path and two native proof-of-concept programs that validate the bug at the decoder level. Structure and purpose: - README.md documents the vulnerability, affected versions, setup steps, and expected crash behavior. - generate_overflow_mp4.py is the main exploit-building component. It reads a valid APV bitstream and a baseline MP4, prepends a forged AU_INFO PBU claiming 16x16 dimensions, preserves the original frame data that decodes as 64x64, patches MP4/APV metadata fields (apvC, apv1 sample entry, tkhd) to 16x16, replaces the mdat payload, and updates stsz/stco bookkeeping. The result is apv-mp4/overflow_auinfo.mp4. - deploy_exploit_mp4.sh operationalizes the exploit against a connected Android device/emulator: it generates the MP4, pushes it to /sdcard/Download/overflow_auinfo.mp4, triggers media scanning, opens it via Android VIEW intents (preferably in Google Photos), and inspects logcat for SIGSEGV/ASan-style crash evidence. - poc_mp4_asan.c is an end-to-end native PoC that mimics the Android C2SoftApvDec flow by parsing MP4 mdat content, checking the aPv1 signature, calling oapvd_info() to obtain attacker-controlled small dimensions, allocating buffers accordingly, and then calling oapvd_decode() where the larger real frame dimensions cause an out-of-bounds write. This is intended for ASan-instrumented confirmation. - poc_android_oob_write.c is a lower-level standalone PoC that loads an APV file directly, exercises oapvd_info()/oapvd_decode(), and includes a deliberate undersized-buffer test with guard bytes to measure overflow into adjacent memory. Main exploit capability: The exploit is a malicious media-file generator and deployment helper. Its core primitive is a dimension-confusion bug between metadata parsed by oapvd_info() and actual frame dimensions consumed by oapvd_decode(). This yields a heap out-of-bounds write during APV decoding. The repository demonstrates crash reproduction and the memory corruption condition that could underpin zero-click remote code execution when vulnerable Android media components automatically process the file for thumbnails/previews. Notable targeting details: The code and documentation specifically target Android 16 devices with APV codec support and pre-March 2026 patch levels, as well as upstream libopenapv versions v0.1.11.1 through v0.1.13.0. The Android delivery path relies on local adb interaction rather than remote network communication. No command shell payload or post-exploitation logic is included; the repository focuses on exploit file creation and vulnerability reproduction, making it operational but still primarily a crash/reproduction exploit rather than a full weaponized RCE chain.