Main Vulnerability Database Vulnerabilities #VU37395

Improper Validation of Array Index in Google Android - CVE-2017-14889

Published: March 16, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37395

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-14889

CWE-ID: CWE-129

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, due to the lack of a range check on the array index into the WMI descriptor pool, arbitrary address execution may potentially occur in the process mgmt completion handler.

How to mitigate CVE-2017-14889

Install update from vendor's website.

Sources

https://source.android.com/security/bulletin/pixel/2018-03-01
https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e11e9dc8298dc0632050cacce96e9652d017f755

Improper Validation of Array Index in Google Android - CVE-2017-14889

Detailed vulnerability description

How to mitigate CVE-2017-14889

Sources

Please verify you're human