CVE-2018-9426Insufficient Entropy in Google Android

CWE-331Insufficient Entropy2 documents2 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 60.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Android
Timeline
PublishedDec 2
Latest updateDec 3

Description

In RsaKeyPairGenerator::getNumberOfIterations of RSAKeyPairGenerator.java, an incorrect implementation could cause weak RSA key pairs being generated. This could lead to crypto vulnerability with no additional execution privileges needed. User interaction is not needed for exploitation. Bulletin Fix: The fix is designed to correctly implement the key generation according to FIPS standard.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5google/android7, 8+1
NVDgoogle/android5 versions+4

Patches

Patch: source.android.com

🔴Vulnerability Details

1
GHSA
GHSA-pjm2-9jh6-vjw2: In RsaKeyPairGenerator::getNumberOfIterations of RSAKeyPairGenerator2024-12-03