CVE-2017-18065

Vulnerability

In Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, the function wma_action_frame_filter_mac_event_handler() improperly validates the vent->vdev_id field received from firmware. This code path is reachable during processing of WLAN action frames when the firmware sends a crafted event. The vulnerability affects devices with a security patch level before March 2018, specifically those using the affected Qualcomm components [1].

Exploitation

An attacker needs to supply or trigger delivery of a specially crafted firmware event containing an invalid vent->vdev_id value. No user interaction is required beyond the device processing the WLAN frame; the attacker must be within radio range of the target device to transmit the malicious frame. The lack of input validation allows the attacker to cause the kernel to access memory outside of expected bounds as part of the handler's processing [1].

Impact

Successful exploitation results in arbitrary code execution within the kernel context. The attacker gains the ability to execute code with kernel privileges, leading to full compromise of the device's confidentiality, integrity, and availability. The vulnerability is rated High severity by Google [1].

Mitigation

The fix was included in the March 2018 Pixel/Nexus Security Bulletin, with a security patch level of 2018-03-05 or later [1]. All supported Google devices received the update at that time. For affected Qualcomm-based devices from other vendors, users should apply vendor-provided updates. No workaround other than applying the patch is available [1].