Main Vulnerability Database Vulnerabilities #VU36634

Improper Validation of Array Index in Google Android - CVE-2018-11891

Published: September 19, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36634

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-11891

CWE-ID: CWE-129

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on the length of array while accessing can lead to an out of bound read in WLAN HOST function.

How to mitigate CVE-2018-11891

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/107770
https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=2fc3e8a2ae8233690872d313fbfb4c74d0c61daa
https://www.codeaurora.org/security-bulletin/2018/09/04/september-2018-code-aurora-security-bulletin

Improper Validation of Array Index in Google Android - CVE-2018-11891

Detailed vulnerability description

How to mitigate CVE-2018-11891

Sources

Please verify you're human