A vulnerability classified as critical was found in Google Android (Smartphone Operating System) (the affected version unknown). Affected by this vulnerability is the function binder_transaction of the file binder.c of the component Kernel. The manipulation with an unknown input leads to a integer overflow vulnerability. The CWE definition for the vulnerability is CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In binder_transaction of binder.c in the Android kernel, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

The weakness was shared 09/05/2019 (Website). It is possible to read the advisory at usn.ubuntu.com. This vulnerability is known as CVE-2019-2181 since 12/10/2018. Attacking locally is a requirement. A single authentication is necessary for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 12/13/2023). It is expected to see the exploit prices for this product increasing in the near future.

Applying a patch is able to eliminate this problem.

The entries 141318, 141317, 141316 and 141315 are related to this item.

Productinfo

Type

• Smartphone Operating System

Vendor

• Google

Name

• Android

License

• free

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion