The following security vulnerabilities have been identified:
While receiving netlink messages from userspace, an out of memory situation could occur if the incoming netlink message has its pid field set to 0. Similarly, while receiving netlink messages from userspace an out of bounds vulnerability could occur since boundaries on incoming data were not properly checked.
Access Vector: Local
Security Risk: Medium
Vulnerability: CWE-20 Improper Input Validation
All Android releases from CAF using the Linux kernel.
We advise customers to apply the following patches:
This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.