Allocation of Resources Without Limits or Throttling in Google Android

#VU37668 Allocation of Resources Without Limits or Throttling in Google Android

Published: 2018-01-13 | Updated: 2020-08-08

Vulnerability identifier: #VU37668

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-13190

CWE-ID: CWE-770

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A vulnerability in the Android media framework (libhevc) related to handling ps_codec_obj memory allocation failures. Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-68299873.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0.1, 7.0 - 7.1.2, 8.0 - 8.1

External links
http://android.googlesource.com/platform/external/libhevc/+/3ed3c6b79a7b9a60c475dd4936ad57b0b92fd600
http://source.android.com/security/bulletin/pixel/2018-01-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Allocation of Resources Without Limits or Throttling in Google, Google Android