CVE-2015-9138
Description
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear, and Small Cell SoC FSM9055, IPQ4019, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, and SDX20, when an RSA encryption operation is called, the ce_util_to_unsigned_bin is invoked to convert the input buffer to unsigned binary. The ce_util_to_unsigned_bin function, instead of operating on the size of the unsigned character buffer that is passed, operates on the address - i.e. operates on "c" instead of "*c". Decrementing the address to check if it is less than zero means that the operation will always pass, since a pointer will never be less than zero, and may result in a buffer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Qualcomm cryptographic routine mishandles pointer arithmetic, leading to potential buffer overflow in affected Android SoCs.
Vulnerability
CVE-2015-9138 is a buffer overflow vulnerability in the Qualcomm ce_util_to_unsigned_bin cryptographic function present in Android kernels before the 2018-04-05 security patch level. The function incorrectly uses a pointer address (c) instead of the value it points to (*c) when checking for a negative value, causing the decrement check to always pass. The affected SoCs include Snapdragon Automobile, Mobile, Wear, Small Cell SoC FSM9055, IPQ4019, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, and SDX20 [1].
Exploitation
An attacker does not require special privileges or authentication; the vulnerability is reachable when an RSA encryption operation is invoked on a device with an affected Qualcomm SoC. The flaw triggers when ce_util_to_unsigned_bin is called during RSA encryption; the pointer address is decremented without a bounds check, allowing out-of-bounds memory access. No user interaction is needed beyond the normal RSA encryption flow [1].
Impact
Successful exploitation could lead to a buffer overflow, potentially enabling an attacker to cause a denial of service (system crash) or execute arbitrary code. The compromise occurs at the privilege level of the cryptographic service, which may be elevated (kernel-level on some SoCs). Information disclosure or further elevation of privilege is possible if the overflow is carefully triggered [1].
Mitigation
Google released a fix in the Android Security Bulletin for April 2018 (2018-04-05 security patch level). All Android partners and device vendors were required to apply the patch. For unpatched devices, no workaround is available; updating to the latest Android security patch is the only mitigation. The impacted SoCs are widely used in mobile, automotive, and IoT platforms, making timely patching critical [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: before 2018-04-05 security patch level
- Qualcomm, Inc./Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear, Small Cell SoCv5Range: FSM9055, IPQ4019, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDX20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/bid/103671mitrevdb-entryx_refsource_BID
- source.android.com/security/bulletin/2018-04-01mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.