CVE-2018-9387

High

Published: 18 January 2025

Published

18 January 2025

Modified

10 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In multiple functions of mnh-sm.c, there is a possible way to trigger a heap overflow due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2018-9387 is a heap overflow vulnerability stemming from an integer overflow in multiple functions within mnh-sm.c. This issue affects Android Pixel devices, as documented in the relevant security bulletin.

A local attacker with low privileges (PR:L) can exploit the vulnerability with low attack complexity and no user interaction required. Exploitation enables local escalation of privilege without needing additional execution privileges, resulting in high impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The root cause is classified under CWE-120.

The Android Pixel security bulletin from June 2018, available at https://source.android.com/security/bulletin/pixel/2018-06-01, details patches and mitigation steps for addressing this vulnerability in affected devices.

Details

CWE(s): CWE-120

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2018-06-01
Vendor Advisory · security@android.com