Out-of-bounds read in Google Android - CVE-2017-18060

 

Out-of-bounds read in Google Android - CVE-2017-18060

Published: March 16, 2018 / Updated: August 8, 2020


Vulnerability identifier: #VU37410
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-18060
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Google
Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for resp_event->vdev_id in wma_unified_bcntx_status_event_handler(), which is received from firmware, leads to potential out of bounds memory read.


How to mitigate CVE-2017-18060

Install update from vendor's website.

Sources