CVE-2015-9184
Description
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, and SD 835, lack of length checking in wv_dash_core_load_keys_v8() could lead to a buffer overflow vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing length check in Qualcomm's wv_dash_core_load_keys_v8() function on multiple Snapdragon SoCs leads to a buffer overflow that can allow privilege escalation.
Vulnerability
A buffer overflow vulnerability exists in the wv_dash_core_load_keys_v8() function of the Qualcomm Widevine DRM component on multiple Snapdragon platforms. The issue stems from a lack of length validation before copying data, which can result in memory corruption. Affected chipsets include MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, and SD 835. This was addressed in the Android security patch level of 2018-04-05 or earlier [1].
Exploitation
An attacker needs local code execution capability and kernel privileges to trigger the buffer overflow. The function is called during Widevine DRM key loading operations. By crafting malicious input with an overly long key component, an attacker can overflow an internal buffer, potentially corrupting adjacent kernel memory. No user interaction beyond running a crafted application is required once the attacker has a foothold.
Impact
Successful exploitation could allow an attacker to elevate privileges within the kernel context, leading to arbitrary code execution with kernel-level permissions. This could result in complete compromise of the device's integrity and confidentiality, including access to protected DRM content and system data.
Mitigation
The vulnerability is fixed in the Android security patch level of 2018-04-05 or earlier, as published in the April 2018 Android Security Bulletin [1]. Users should ensure their devices have received this or a later security update. No workarounds are provided in the references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <=2018-04-05
- Range: <=2018-04-05
- Range: <=2018-04-05
- Qualcomm, Inc./Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wearv5Range: MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/bid/103671mitrevdb-entryx_refsource_BID
- source.android.com/security/bulletin/2018-04-01mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.