Use of uninitialized resource in Google Android

#VU34458 Use of uninitialized resource in Google Android

Published: 2020-04-17 | Updated: 2020-08-08

Vulnerability identifier: #VU34458

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20785

CWE-ID: CWE-908

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

An issue was discovered on LG mobile devices with Android OS 8.0 and 8.1 software for the DTAG carrier. RILD in the radio layer uses an uninitialized variable. The LG ID is LVE-SMP-180013 (January 2019).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Google Android: 8.0 - 8.1

External links
http://lgsecurity.lge.com/

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Use of uninitialized resource in Google, Google Android