CVE-2019-5260

Vulnerability

CVE-2019-5260 is a denial of service vulnerability in Huawei smartphones HUAWEI Y9 2019 and Honor View 20. The flaw resides in the parsing of TD-SCDMA messages due to insufficient input validation of a specific value. Affected versions include ALP-AL00B 8.0.0.153(C00), ALP-L09 8.0.0.153(C432), and ALP-L29 8.0.0.145(C636) [1].

Exploitation

An attacker must operate a rogue base station within radio range of the target device. No authentication or user interaction is required. The attacker sends specially crafted TD-SCDMA messages to the device. When the device processes these messages, the insufficient validation triggers an infinite loop, causing the device to become unresponsive and reboot [1].

Impact

Successful exploitation results in a denial of service condition. The device enters an infinite loop and reboots, temporarily disrupting service. No data confidentiality or integrity impact is reported [1].

Mitigation

Huawei has released software updates to fix the vulnerability. The resolved versions are: ALP-AL00B 9.1.0.333(C00E333R2P1T8), ALP-L09 9.1.0.300(C432E4R1P9T8), and ALP-L29 9.1.0.315(C…). Users should update their devices to the latest firmware via the official update mechanism. No workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].