CRITICAL🇵🇱 Wersja polska

CVE-2018-9416

CVSS 10.0v4.0pub. 2024-12-05upd. 2024-12-18

In sg_remove_scat of scsi/sg.c, there is a possible memory corruption due to an unusual root cause. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

🤖 AI Analysis
How it works

A vulnerability classified as CWE-787 (out-of-bounds write) occurs in the sg_remove_scat function handling the SCSI generic (sg) driver in the Android kernel. Improper operation on scatter-gather memory structures can result in data being written outside the intended memory area (out-of-bounds write). Exploitation of this vulnerability requires System-level execution privileges, but does not require any user interaction.

Impact

An attacker with System privileges can cause kernel memory corruption and achieve local privilege escalation on an Android device.

Mitigation & patch

Apply patches available from the vendor according to the references — Pixel security bulletin dated 2018-07-01 (https://source.android.com/security/bulletin/pixel/2018-07-01)

Who is affected

Google Android — versions indicated in the vendor's references (Pixel security bulletin, July 2018)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Google Android

    OS
    Google
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-16010CRITICAL9.6⚠ KEVten sam produkt

Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...

CVE-2016-1019CRITICAL9.8⚠ KEVten sam produkt

Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...

CVE-2026-13851CRITICAL9.1ten sam produkt

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...

CVE-2026-13852CRITICAL9.1ten sam produkt

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...

CVE-2026-14106CRITICAL9.6ten sam produkt

Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed ...