CVE-2018-9478
published 2024-11-20CVE-2018-9478: In process_service_attr_req and process_service_search_attr_req of sdp_server.cc, there is an out of bounds write due to a missing bounds check. This could…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.37%
28.7th percentile
In process_service_attr_req and process_service_search_attr_req of sdp_server.cc, there is an out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Focus detection on the SDP server functions `process_service_attr_req` and `process_service_search_attr_req` in `sdp_server.cc` — these are the vulnerable code paths where the out-of-bounds write occurs due to a missing bounds check. ↗
- →No user interaction is required and no additional privileges are needed — monitor for anomalous Bluetooth SDP traffic targeting Android devices running AOSP 7.0, 7.1.1, 7.1.2, 8.0, 8.1, or 9, as exploitation can be fully remote and silent. ↗
- →Track Android internal bug reference A-79217522 when reviewing patch status or vendor advisories for affected devices. ↗
- ·Affected AOSP versions are 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9 — devices on these unpatched versions are at risk; the vulnerability is classified CRITICAL with no privilege or user-interaction requirement. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2018-9478: Android Security Bulletin 2018-09-01
CVE: CVE-2018-9478
Severity: CRITICAL
Type: EoP
Affected AOSP versions: 7
vendor_android·2018-09-01·CVSS 9.8
CVE-2018-9478 [CRITICAL] CVE-2018-9478: Android Security Bulletin 2018-09-01
CVE: CVE-2018-9478
Severity: CRITICAL
Type: EoP
Affected AOSP versions: 7
Android Security Bulletin 2018-09-01
CVE: CVE-2018-9478
Severity: CRITICAL
Type: EoP
Affected AOSP versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
References: A-79217522
GHSA
GHSA-rmc4-mqv6-cmwx: In process_service_attr_req and process_service_search_attr_req of sdp_server
ghsa_unreviewed·2024-11-20
CVE-2018-9478 [CRITICAL] CWE-787 GHSA-rmc4-mqv6-cmwx: In process_service_attr_req and process_service_search_attr_req of sdp_server
In process_service_attr_req and process_service_search_attr_req of sdp_server.cc, there is an out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-20
Published