Use-after-free in Google Android - CVE-2017-9704

 

Use-after-free in Google Android - CVE-2017-9704

Published: December 20, 2018 / Updated: August 8, 2020


Vulnerability identifier: #VU36278
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-9704
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Google
Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, There is no synchronization between msm_vb2 buffer operations which can lead to use after free.


How to mitigate CVE-2017-9704

Install update from vendor's website.

Sources