CVE-2017-13183 : In the OMXNodeInstance::useBuffer and IOMX::freeBuffer functions, there is a pos

In the OMXNodeInstance::useBuffer and IOMX::freeBuffer functions, there is a possible use after free due to a race condition if the user frees the buffer while it's being used in another thread. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 8.1. Android ID: A-38118127.

Published 2018-01-12 23:29:01

Updated 2018-02-02 17:29:17

Source Android (associated with Google Inc. or Open Handset Alliance)

View at NVD, CVE.org

Vulnerability category: Memory CorruptionGain privilege

Products affected by CVE-2017-13183

Google » Android » Version: 8.1
cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-13183

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-13183

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.2	MEDIUM	AV:L/AC:H/Au:N/C:C/I:C/A:C	1.9	10.0	NIST
Access Vector: Local Access Complexity: High Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.0	HIGH	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H	1.0	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-13183

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-13183

http://www.securityfocus.com/bid/102421

Google Android Media Framework Component CVE-2017-13183 Local Privilege Escalation Vulnerability
Third Party Advisory;VDB Entry
http://www.securitytracker.com/id/1040106

Google Android Bugs Let Remote Users Obtain Sensitive Information, Deny Service, and Execute Arbitrary Code - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://source.android.com/security/bulletin/2018-01-01

Android Security Bulletin—January 2018 | Android Open Source Project
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-13183

Products affected by CVE-2017-13183

Exploit prediction scoring system (EPSS) score for CVE-2017-13183

CVSS scores for CVE-2017-13183

CWE ids for CVE-2017-13183

References for CVE-2017-13183