CVE-2017-10998
Last modified
CVE-2017-10998 is a vulnerability of currently unknown severity. In all Qualcomm products with Android releases from CAF using the Linux kernel, in audio_aio_ion_lookup_vaddr, the buffer length, which is user input, ends up being used to validate if the buffer is fully within the valid region. If the buffer length is large enough then the address + length operation could overflow and produce a result far below the valid region.. EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
In all Qualcomm products with Android releases from CAF using the Linux kernel, in audio_aio_ion_lookup_vaddr, the buffer length, which is user input, ends up being used to validate if the buffer is fully within the valid region. If the buffer length is large enough then the address + length operation could overflow and produce a result far below the valid region.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Android | <= 8.0 |
References
- http://www.securityfocus.com/bid/100658Third Party Advisory, VDB Entry
- https://source.android.com/security/bulletin/2017-09-01Patch, Vendor Advisory
- http://www.securityfocus.com/bid/100658Third Party Advisory, VDB Entry
- https://source.android.com/security/bulletin/2017-09-01Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-10998?
How severe is CVE-2017-10998?
How do I fix CVE-2017-10998?
Are you affected by CVE-2017-10998?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST