Input validation error in Google Android - CVE-2018-11266
Published: November 27, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36360
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-11266
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Google Android
Google Android
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper input validation can lead to an improper access to already freed up dci client entries while closing dci client.
How to mitigate CVE-2018-11266
Install update from vendor's website.
Sources
- https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=21dd238ad58362877e341d905bea1c7cf273f19a
- https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=8e5749b17c2024af317f06e08aae455af9b79bd0
- https://www.codeaurora.org/security-bulletin/2018/08/06/august-2018-code-aurora-security-bulletin