Input validation error in Google Android - CVE-2018-11946
Published: November 27, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36374
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-11946
CWE-ID: CWE-20
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Google Android
Google Android
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, the UPnP daemon should not be running out of box because it enables port forwarding without authentication.
How to mitigate CVE-2018-11946
Install update from vendor's website.