CVE-2018-9375
Published: 17 January 2025
Description
In multiple functions of UserDictionaryProvider.java, there is a possible way to add and delete words in the user dictionary due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2018-9375 is a vulnerability in multiple functions of UserDictionaryProvider.java within Android, caused by a confused deputy issue. This flaw allows unauthorized addition and deletion of words in the user dictionary, potentially leading to local escalation of privilege. No additional execution privileges or user interaction are required for exploitation, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and associated CWE-269 (Improper Privilege Management).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of need for user interaction. Successful exploitation enables escalation of privileges, resulting in high impacts on confidentiality, integrity, and availability.
The Android security bulletin for Pixel devices details patches and mitigations at https://source.android.com/security/bulletin/pixel/2018-06-01.
Details
- CWE(s)