CVE-2018-5824

Vulnerability

A buffer overflow exists in the Qualcomm Wi-Fi driver processing HTT_T2H_MSG_TYPE_RX_FLUSH or HTT_T2H_MSG_TYPE_RX_PN_IND messages. The vulnerability occurs when the tid value obtained from firmware is out of range, leading to a buffer overflow. This affects Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05 [1].

Exploitation

An attacker requires proximity to the victim device to send crafted Wi-Fi frames. The attacker needs to be within Wi-Fi range and send a specially crafted message with an out-of-range tid value. No authentication is required as the vulnerability is in the firmware message parsing path before any access control checks [1].

Impact

Successful exploitation leads to a buffer overflow, which can cause memory corruption and potentially allow arbitrary code execution in the context of the Wi-Fi driver. This could result in a complete compromise of the device's Wi-Fi subsystem and enable further privilege escalation [1].

Mitigation

The issue was fixed in the Android security patch level 2018-04-05. Users should ensure their devices receive this or later security updates. For Pixel/Nexus devices, the fix was included in the April 2018 security bulletin. There is no workaround besides applying the vendor-supplied patch [1].