CVE-2015-9156

Vulnerability

In Android before 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear platforms (including MDM9206, MDM9607, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 800, SD 808, and SD 810), a buffer overflow occurs when processing a high-speed Dual Carrier Downlink Data call in a multicell environment. The issue lies in the modem firmware's handling of packet data, allowing an attacker to trigger memory corruption.

Exploitation

An attacker with network access to the device's cellular connection could exploit this vulnerability by sending specially crafted signaling messages during a Dual Carrier Downlink Data call. No user interaction or elevated privileges on the device are required; the attacker only needs to be within range of the target device's cellular network. Successful exploitation involves triggering the overflow while the device is in a multicell environment.

Impact

Successful exploitation leads to a buffer overflow, which can cause memory corruption. This could result in arbitrary code execution within the modem firmware, potentially allowing the attacker to execute arbitrary code at the modem's privilege level, leading to full compromise of the modem subsystem and, in some cases, escalation of privilege to the Android kernel.

Mitigation

The issue was fixed in the Android security patch level of 2018-04-05 [1]. Users should ensure their devices have received the April 2018 or later security update. No workaround is available for unpatched devices. The vulnerability is not listed as exploited in the wild on the CISA KEV catalog.