CVE-2017-18052

Vulnerability

In Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, the WLAN driver function wma_mgmt_tx_bundle_completion_handler() does not properly validate the firmware-supplied parameters cmpl_params->num_reports, param_buf->desc_ids, and param_buf->status. This lack of input validation can lead to an out-of-bounds memory read. The vulnerability affects devices with Qualcomm components that include the affected WLAN driver [1].

Exploitation

An attacker would need to compromise the firmware or otherwise control the firmware responses sent to the WLAN driver. The vulnerability does not require user interaction or special privileges beyond normal system access to trigger the out-of-bounds read when the driver processes a crafted firmware message containing the malformed parameters [1].

Impact

Successful exploitation could allow an attacker to read out-of-bounds kernel memory, potentially leading to the disclosure of sensitive information (information disclosure). The information read could include kernel addresses or other confidential data, which might assist in further attacks against the system [1].

Mitigation

Google addressed this vulnerability in the March 2018 Pixel/Nexus Security Bulletin with the security patch level 2018-03-05 or later. Affected devices should update to the latest available firmware from their vendor. No workaround is available for unpatched devices [1].