Input validation error in Google Android - CVE-2018-11946

 

Input validation error in Google Android - CVE-2018-11946

Published: November 27, 2018 / Updated: August 8, 2020


Vulnerability identifier: #VU36374
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-11946
CWE-ID: CWE-20
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: Google
Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, the UPnP daemon should not be running out of box because it enables port forwarding without authentication.


How to mitigate CVE-2018-11946

Install update from vendor's website.

Sources