CVE-2017-11090

Vulnerability

A buffer overread vulnerability exists in the __wlan_hdd_cfg80211_set_pmksa function within the Qualcomm WLAN HDD driver. When a user space application sends a PMKID of size less than WLAN_PMKID_LEN bytes, the driver reads beyond the allocated buffer. This affects Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel. The vulnerability is present in Android security bulletin for Pixel/Nexus devices dated November 2017 [1].

Exploitation

An attacker requires the ability to send crafted PMKID requests to the affected device through a wireless network stack interface, typically requiring local access to the system or a malicious application with sufficient privileges to issue the cfg80211 command. The attacker must provide a PMKID structure with a length smaller than the expected WLAN_PMKID_LEN (32 bytes) to trigger the overread. No user interaction beyond launching the malicious application is required [1].

Impact

Successful exploitation allows an attacker to read kernel memory beyond the intended buffer, leading to information disclosure. This can leak sensitive data such as keying material or other memory contents. The vulnerability does not directly provide arbitrary code execution but can compromise confidentiality of system data [1].

Mitigation

Google released a fix as part of the November 2017 Pixel/Nexus Security Bulletin. The update includes a patch that adds proper length validation for the PMKID input. Users should apply the Android security update level of 2017-11-05 or later. No known workaround exists without the patch [1].