Buffer overflow in Google Android

#VU36645 Buffer overflow in Google Android

Cybersecurity Help s.r.o.

Published: 2018-09-19 | Updated: 2020-08-08

Vulnerability identifier: #VU36645

Vulnerability risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-5905

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a race condition while accessing num of clients in DIAG services can lead to out of boundary access.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Google Android:

External links
http://support.blackberry.com/kb/articleDetail?articleNumber=000051163
http://source.android.com/security/bulletin/pixel/2018-08-01#qualcomm-components
http://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=6eb2f4f6fde1b210712d6ac66b40b9e7684d77db
http://www.codeaurora.org/security-bulletin/2018/09/04/september-2018-code-aurora-security-bulletin

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in Google, Google Android