Vulnerabilities > CVE-2018-5914 - Improper Validation of Array Index vulnerability in Qualcomm products

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

qualcomm

CWE-129

NVD

Published: 2018-10-26

Updated: 2019-01-23

Summary

Improper input validation in TZ led to array out of bound in TZ function while accessing the peripheral details using the incoming data in Snapdragon Mobile, Snapdragon Wear version MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 835, SDA660.

Vulnerable Configurations

Part	Description	Count
OS	Qualcomm Qualcomm Mdm9206 Firmware - Qualcomm Mdm9607 Firmware - Qualcomm Mdm9650 Firmware - Qualcomm SD 210 Firmware - Qualcomm SD 212 Firmware - Qualcomm SD 205 Firmware - Qualcomm SD 425 Firmware - Qualcomm SD 430 Firmware - Qualcomm SD 450 Firmware - Qualcomm SD 625 Firmware - Qualcomm SD 650 Firmware - Qualcomm SD 652 Firmware - Qualcomm SD 835 Firmware - Qualcomm Sda660 Firmware -	14
Hardware	Qualcomm Qualcomm Mdm9206 - Qualcomm Mdm9607 - Qualcomm Mdm9650 - Qualcomm SD 210 - Qualcomm SD 212 - Qualcomm SD 205 - Qualcomm SD 425 - Qualcomm SD 430 - Qualcomm SD 450 - Qualcomm SD 625 - Qualcomm SD 650 - Qualcomm SD 652 - Qualcomm SD 835 - Qualcomm Sda660 -	14

Common Weakness Enumeration (CWE)

CWE-129 - Improper Validation of Array Index

Common Attack Pattern Enumeration and Classification (CAPEC)

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.

References

https://www.qualcomm.com/company/product-security/bulletins