CVE-2018-3566

Vulnerability

A buffer overwrite vulnerability exists in the ProcSetReqInternal() function within Qualcomm components used in Android for MSM, Firefox OS for MSM, and QRD Android. The flaw is caused by a missing length check, which allows a buffer write beyond the allocated boundary. Affected versions include all Android releases from CAF using the Linux kernel before the security patch level 2018-04-05 [1].

Exploitation

An attacker with local access to the device and the ability to execute code can trigger the buffer overwrite by sending a crafted request to ProcSetReqInternal(). No additional privileges or user interaction are required beyond being able to run a program on the target system [1].

Impact

Successful exploitation leads to a buffer overwrite, which can corrupt memory and potentially allow an attacker to execute arbitrary code or escalate privileges to the kernel level. This results in a full compromise of the device's confidentiality, integrity, and availability [1].

Mitigation

The vulnerability is addressed in the Android security patch level 2018-04-05, as released in the April 2018 Security Bulletin [1]. Users should apply the latest security updates from their device manufacturer. No workarounds are available; updating to the patched version is the only mitigation.