CVE-2018-5872

Vulnerability

In all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before the security patch level 2018-07-05, while parsing over-the-air information elements, the use of an out-of-range pointer offset can occur. This affects the wireless subsystem handling of over-the-air (OTA) frames, where improper bounds checking allows an attacker to craft a malicious information element that causes the parser to access memory beyond the intended buffer [1].

Exploitation

An attacker with proximity to the device (within wireless range) can send a specially crafted over-the-air frame containing a malicious information element. No authentication is required, as the parsing occurs before any cryptographic validation. The attacker triggers the out-of-range pointer offset by manipulating specific fields within the information element to cause the parser to calculate an incorrect pointer offset [1].

Impact

Successful exploitation leads to reading out-of-bounds kernel memory (information disclosure) or a denial of service (system crash/reboot). The Google Android Security Bulletin notes that the vulnerability could result in a local escalation of privilege if combined with other exploits, but standalone exploitation is limited to information disclosure or denial of service due to the use of an out-of-range pointer offset [1].

Mitigation

The fix is included in the Android security patch level 2018-07-05 or later. Users should update their devices to this patch level or newer. The patch was released in the July 2018 Android Security Bulletin [1]. For devices that have reached end-of-life (EOL), no further patches may be available; users should consider upgrading to a supported device.