CVE-2018-5848Improper Restriction of Operations within the Bounds of a Memory Buffer in Linux

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-190Integer Overflow or WraparoundCWE-120Classic Buffer Overflow7 documents7 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 64.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Linux KernelDebian LinuxRedhat Enterprise Linux Desktop+3 more
Timeline
PublishedJun 12
Latest updateMay 14

Description

In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

Debianlinux/linux_kernel< 4.16.5-1+3

Also affects: Debian Linux 8.0

Patches

Patch: www.codeaurora.orgPatch: www.codeaurora.org

🔴Vulnerability Details

3
GHSA
GHSA-hf9h-mjmm-hjj4: In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly2022-05-14
OSV
CVE-2018-5848: In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly2018-06-12
CVEList
CVE-2018-5848: In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly2018-06-12

📋Vendor Advisories

2
Debian
CVE-2018-5848: linux - In the function wmi_set_ie(), the length validation code does not handle unsigne...2018
Red Hat
kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption2017-12-02

💬Community

1
Bugzilla
CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption2018-06-13
CVE-2018-5848 — Debian Linux vulnerability | cvebase