CVE-2018-9401

High

Published: 18 January 2025

Published

18 January 2025

Modified

10 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In many locations, there is a possible way to access kernel memory in user space due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2018-9401 is a vulnerability stemming from an incorrect bounds check that enables access to kernel memory from user space in multiple locations. It affects Android software, particularly Pixel devices as detailed in the associated security bulletin. The issue, tied to CWE-276, allows for local escalation of privilege without requiring additional execution privileges or user interaction, earning a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges, such as one running a malicious app, can exploit this vulnerability to read kernel memory and elevate privileges. Successful exploitation grants high-impact control over confidentiality, integrity, and availability, potentially leading to full device compromise.

The Android security bulletin for Pixel devices, published on June 1, 2018, addresses CVE-2018-9401 with patches to correct the bounds check and prevent kernel memory access from user space.

Details

CWE(s): CWE-276

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2018-06-01
Vendor Advisory · security@android.com