Main Vulnerability Database Vulnerabilities #VU36956

Input validation error in Google Android - CVE-2017-15824

Published: July 6, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36956

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-15824

CWE-ID: CWE-20

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a local authenticated user to gain access to sensitive information.

In Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, the function UpdateDeviceStatus() writes a local stack buffer without initialization to flash memory using WriteToPartition() which may potentially leak memory.

How to mitigate CVE-2017-15824

Install update from vendor's website.

Sources

https://source.android.com/security/bulletin/pixel/2018-06-01#qualcomm-components

Input validation error in Google Android - CVE-2017-15824

Detailed vulnerability description

How to mitigate CVE-2017-15824

Sources

Please verify you're human