#VU19362 Out-of-bounds read in Qualcomm products - CVE-2019-2277

Vulnerability identifier: #VU19362

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-2277

CWE-ID: CWE-125

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
SDX24
SDM660
SDM630
SDA660
SD855
SD850
SD845
SD835
SD820A
SD730
SD710
SD712
SD670
SD675
SD665
SD636
SD625
SD450
SD435
SD430
SD427
SD425
SD205
SD212
SD210
QCS605
QCS405
MSM8996AU

Software vendor:
Qualcomm

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to lack of NULL termination on user controlled data in WLAN. A local authenticated attacker can trigger out-of-bounds read error and disclose information, disrupt service and modificate the target applications.

The vulnerability exists in: Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

• https://www.codeaurora.org/security-bulletin/2019/06/03/june-2019-code-aurora-security-bulletin
• https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=477...