CVE-2019-9456

In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

CVSS v3 6.7 MEDIUM
CVSS v2.0 4.6 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html	Mailing List Third Party Advisory
https://source.android.com/security/bulletin/pixel/2019-09-01	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:opensuse:leap:15.0:::::::*
	cpe:2.3:o:opensuse:leap:15.1:::::::*

History

14 Oct 2022, 01:39

Type	Values Removed	Values Added
CPE		cpe:2.3:o:opensuse:leap:15.0:::::::* cpe:2.3:o:opensuse:leap:15.1:::::::*
References	~~(SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html -~~	(SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html - Mailing List, Third Party Advisory
References	~~(SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html -~~	(SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html - Mailing List, Third Party Advisory

Information

Published : 2019-09-06 22:15

Updated : 2024-02-04 20:20

NVD link : CVE-2019-9456

Mitre link : CVE-2019-9456

CVE.ORG link : CVE-2019-9456

JSON object : View

Products Affected

google

android

opensuse

leap

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2019-9456", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2019-09-06T22:15:13.787", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@android.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@android.com"}, {"url": "https://source.android.com/security/bulletin/pixel/2019-09-01", "tags": ["Patch", "Vendor Advisory"], "source": "security@android.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation."}, {"lang": "es", "value": "En el kernel de Android en el controlador del monitor USB Pixel C hay una posible escritura OOB debido a una falta de comprobaci\u00f3n de l\u00edmites. Esto podr\u00eda llevar a un escalado de privilegios local, necesitando privilegios de ejecuci\u00f3n System. La interacci\u00f3n del usuario no es necesaria para la explotaci\u00f3n."}], "lastModified": "2022-10-14T01:39:43.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9"}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"}], "operator": "OR"}]}], "sourceIdentifier": "security@android.com"}