Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU19362
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-2277
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to lack of NULL termination on user controlled data in WLAN. A local authenticated attacker can trigger out-of-bounds read error and disclose information, disrupt service and modificate the target applications.
The vulnerability exists in: Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSDX24: All versions
SDM660: All versions
SDM630: All versions
SDA660: All versions
SD855: All versions
SD850: All versions
SD845: All versions
SD835: All versions
SD820A: All versions
SD730: All versions
SD710: All versions
SD712: All versions
SD670: All versions
SD675: All versions
SD665: All versions
SD636: All versions
SD625: All versions
SD450: All versions
SD435: All versions
SD430: All versions
SD427: All versions
SD425: All versions
SD205: All versions
SD212: All versions
SD210: All versions
QCS605: All versions
QCS405: All versions
MSM8996AU: All versions
External linkshttp://www.codeaurora.org/security-bulletin/2019/06/03/june-2019-code-aurora-security-bulletin
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=477...
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.