cbcvebase.
CVE-2011-1823
published 2011-06-09

CVE-2011-1823: The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
41.63%
98.5th percentile
The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.

Affected

2 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid>= 2.0 < 2.3.42.3.4

Detection & IOCsextracted from sources · hover to see the quote

otherGingerbreak
otherExploit.AndroidOS.Lotoor
urlhttps://android.googlesource.com/platform/system/vold/+/c51920c82463b240e2be0430849837d6fdc5352e
  • Monitor for processes opening or reading from PF_NETLINK sockets on Android devices, particularly those interacting with the vold (volume manager daemon) process, which may indicate exploitation attempts.
  • Look for exploitation of DirectVolume::handlePartitionAdded via a negative index value sent over PF_NETLINK, which bypasses a maximum-only signed integer check and triggers memory corruption leading to privilege escalation.
  • Detect presence of GingerBreak exploit tool or Exploit.AndroidOS.Lotoor malware family on Android devices as indicators of CVE-2011-1823 exploitation activity.
  • ·Vulnerability affects Android 3.0 and 2.x before 2.3.4 only; devices running Android 2.3.4 or later with the referenced vold patch applied are not affected.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.