CVE-2017-11075

Vulnerability

In the Qualcomm WCD9330 audio codec driver used in Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a use-after-free condition exists in wdsp_glink_write(). The bug is triggered when cmd_pkt and reg_pkt ioctl handlers are called from different userspace threads concurrently, leading to a race condition that frees shared data while it is still in use [1].

Exploitation

An attacker requires the ability to execute two threads simultaneously on the target device, both issuing specific ioctl calls (cmd_pkt and reg_pkt) to the affected WCD9330 driver. No authentication is needed; the attacker must have local access to the device to run code that performs these concurrent calls. The race window is small and may require multiple attempts to trigger successfully [1].

Impact

Successful exploitation allows an attacker to corrupt kernel memory, potentially leading to a denial of service (device crash or reboot) or privilege escalation, as the use-after-free can be leveraged to execute arbitrary code in kernel context. The vulnerability is rated High severity (CVSS 7.8) [1].

Mitigation

The fix was included in the Android security patch level 2018-04-05. Users should ensure their devices receive the April 2018 security update or later. The Pixel/Nexus Security Bulletin April 2018 confirms this issue is addressed. No workaround is available; applying the vendor patch is necessary [1].