CVE-2025-34449 Overview
CVE-2025-34449 is a buffer overflow vulnerability affecting Genymobile/scrcpy versions up to and including 3.3.3. The flaw exists in the sc_device_msg_deserialize() function, where a compromised Android device can send crafted messages that cause out-of-bounds reads. This may result in memory corruption or a denial-of-service condition on the host system, with potential for further exploitation.
Critical Impact
A compromised Android device connected via scrcpy can exploit this buffer overflow to cause memory corruption or crash the host application, potentially enabling further exploitation of the host system.
Affected Products
- Genymotion scrcpy versions up to and including 3.3.3
- All scrcpy installations prior to commit 3e40b24
Discovery Timeline
- 2025-12-18 - CVE-2025-34449 published to NVD
- 2026-01-03 - Last updated in NVD database
Technical Details for CVE-2025-34449
Vulnerability Analysis
The vulnerability resides in the message deserialization logic within scrcpy's device communication handler. When processing UHID_OUTPUT messages from a connected Android device, the sc_device_msg_deserialize() function incorrectly validates the message size parameter before reading data into memory buffers.
The root issue is a logic error in the boundary condition check. The code reads a 16-bit size value from the incoming message buffer but applies an incorrect comparison operator when validating whether sufficient data is available. This allows a malicious device to specify a size value larger than the actual data present, causing the subsequent malloc() and memory operations to read beyond the intended buffer boundaries.
Since scrcpy is designed to mirror Android device screens to host computers, an attacker who has compromised an Android device could leverage this vulnerability to attack the connected host system. The local attack vector requires the victim to connect their host machine to a compromised device via USB or network.
Root Cause
The vulnerability stems from an incorrect comparison operator in the size validation check within sc_device_msg_deserialize(). The condition if (size < len - 5) was used instead of the correct if (size > len - 5), allowing attackers to specify arbitrarily large size values that exceed the available buffer data.
Attack Vector
The attack requires a compromised Android device to be connected to a victim's host system running scrcpy. The malicious device sends specially crafted UHID_OUTPUT messages containing a size field that exceeds the actual message payload length. When scrcpy processes these messages, it performs out-of-bounds memory reads, potentially causing:
- Application crash (denial of service)
- Memory corruption on the host system
- Information disclosure through memory leakage
- Potential code execution if memory corruption can be weaponized
}
uint16_t id = sc_read16be(&buf[1]);
size_t size = sc_read16be(&buf[3]);
- if (size < len - 5) {
+ if (size > len - 5) {
return 0; // not available
}
uint8_t *data = malloc(size);
Source: GitHub Commit 3e40b24
The fix changes the comparison operator from < to >, ensuring that the declared size does not exceed the actual available data in the buffer, thereby preventing out-of-bounds reads.
Detection Methods for CVE-2025-34449
Indicators of Compromise
- Unexpected scrcpy application crashes or segmentation faults during Android device connections
- Abnormal memory consumption by the scrcpy process
- Crash dumps indicating memory access violations in sc_device_msg_deserialize() or related functions
- Suspicious UHID_OUTPUT message patterns in debug logs
Detection Strategies
- Monitor scrcpy process stability and log any unexpected terminations
- Implement application crash monitoring to detect repeated denial-of-service conditions
- Review connected Android devices for signs of compromise before establishing scrcpy connections
- Deploy endpoint detection and response (EDR) solutions to identify anomalous memory access patterns
Monitoring Recommendations
- Enable debug logging in scrcpy to capture message processing details
- Monitor system event logs for application crashes related to scrcpy
- Implement host-based intrusion detection for memory corruption indicators
- Track version information of scrcpy installations across the environment
How to Mitigate CVE-2025-34449
Immediate Actions Required
- Update scrcpy to a version that includes commit 3e40b24 or later
- Avoid connecting to untrusted or potentially compromised Android devices
- Review and validate the integrity of Android devices before establishing scrcpy connections
- Consider disabling UHID features if not required for your use case
Patch Information
The vulnerability has been addressed in commit 3e40b24 available in the Genymobile/scrcpy repository. Users should update to a version that includes this fix. The patch corrects the boundary validation logic in the sc_device_msg_deserialize() function by changing the comparison operator to properly validate message size against available buffer data.
Additional technical details and discussion are available in the GitHub Issue #6415.
Workarounds
- Restrict scrcpy usage to trusted, verified Android devices only
- Implement network segmentation to isolate systems running scrcpy from critical infrastructure
- Use USB debugging only on devices with verified firmware and security posture
- Monitor scrcpy connections and terminate any sessions exhibiting abnormal behavior
# Check current scrcpy version
scrcpy --version
# If building from source, ensure you have the patched version
git clone https://github.com/Genymobile/scrcpy.git
cd scrcpy
git log --oneline | grep 3e40b24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
