Main Vulnerability Database Vulnerabilities #VU36379

Use-after-free in Google Android - CVE-2018-5904

Published: November 27, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36379

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-5904

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while list traversal in LPM status driver for clean up, use after free vulnerability may occur.

How to mitigate CVE-2018-5904

Install update from vendor's website.

Sources

https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=88b838c8952ec6414c72449ae15768d15d2606dd
https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=8e82c0d84ccee87309fd22f8208915f0ba502b26
https://www.codeaurora.org/security-bulletin/2018/11/05/november-2018-code-aurora-forum-security-bulletin

Use-after-free in Google Android - CVE-2018-5904

Detailed vulnerability description

How to mitigate CVE-2018-5904

Sources

Please verify you're human