CVE-2018-9389
Published: 18 January 2025
Description
In ip6_append_data of ip6_output.c, there is a possible way to achieve code execution due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2018-9389 is a heap buffer overflow vulnerability in the ip6_append_data function of ip6_output.c. This flaw enables possible code execution and affects the Android kernel, as detailed in the Android Pixel security bulletin.
A local attacker with low privileges (PR:L) can exploit this vulnerability due to low attack complexity (AC:L) and without requiring user interaction (UI:N). No additional execution privileges are needed beyond the attacker's base access. Successful exploitation leads to local escalation of privilege, with high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.8; AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue is classified under CWE-787 (Out-of-bounds Write).
The Android security bulletin for Pixel devices, published June 1, 2018 (https://source.android.com/security/bulletin/pixel/2018-06-01), addresses this vulnerability with patches for affected components.
Details
- CWE(s)