CVE-2015-9216

Vulnerability

A race condition exists in the USB subsystem of multiple Qualcomm Snapdragon SoCs due to improper handling of simultaneous interrupts during USB RESET and endpoint (EP) COMPLETE events. The vulnerable code path is reachable on Android devices running a security patch level before April 2018. Affected chipsets include MDM9206, MDM9607, MDM9625, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, and SD 810 [1].

Exploitation

An attacker needs physical USB access or the ability to trigger a USB reset on the device. The exploit requires precise timing to cause a RESET and EP_COMPLETE interrupt to arrive concurrently. No authentication is required, but the attacker must be able to connect a USB peripheral or inject USB events. By repeatedly initiating USB resets while endpoints complete, the attacker can win the race window [1].

Impact

Successful exploitation leads to a use-after-free or similar memory corruption in the USB driver. The attacker may cause a denial of service (system crash) or potentially execute arbitrary code in the kernel context. The impact is a full compromise of the affected device's confidentiality, integrity, and availability [1].

Mitigation

Google released a fix in the Android Security Bulletin for April 2018 (2018-04-05 security patch level). Users should update to the latest Android security patch. Qualcomm also provided a patch to OEMs. No workaround is available for unpatched devices [1].