CVE-2018-9490 — Incorrect Type Conversion or Cast in INC Android

CWE-704 — Incorrect Type Conversion or Cast5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.4%

top 38.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google INC Android Google Android

Timeline

PublishedOct 2

Latest updateMay 14

Description

In CollectValuesOrEntriesImpl of elements.cc, there is possible remote code execution due to type confusion. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-111274046

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDgoogle/android6 versions+5

▶CVEListV5google_inc/androidAndroid-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0

Patches

Patch: android.googlesource.com ↗Patch: android.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-3365-pp7g-p5qf: In CollectValuesOrEntriesImpl of elements↗2022-05-14

▶

CVEList

CVE-2018-9490: In CollectValuesOrEntriesImpl of elements↗2018-10-02

▶

📋Vendor Advisories

Android

CVE-2018-9490: Android Security Bulletin 2018-10-01 CVE: CVE-2018-9490 Severity: CRITICAL Type: EoP Affected AOSP versions: 7↗2018-10-01

▶

📄Research Papers

arXiv

Hey Google, What Exactly Do Your Security Patches Tell Us? A Large-Scale Empirical Study on Android Patched Vulnerabilities↗2019-05-22

▶