CVE-2018-9375

HIGH

Android - Local Privilege Escalation via UserDictionaryProvider Confused Deputy

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9375. PoCs published by IOActive.

AI-analyzed exploit summary This PoC exploits a SQL injection vulnerability in the Android UserDictionary Content Provider (CVE-2018-9375) to leak sensitive data via timing attacks. It uses binary search and timing-based SQLi to extract dictionary entries without requiring authentication.

Description

In multiple functions of UserDictionaryProvider.java, there is a possible way to add and delete words in the user dictionary due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (1)

nomisec WORKING POC 21 stars
by IOActive · poc
https://github.com/IOActive/AOSP-ExploitUserDictionary

This PoC exploits a SQL injection vulnerability in the Android UserDictionary Content Provider (CVE-2018-9375) to leak sensitive data via timing attacks. It uses binary search and timing-based SQLi to extract dictionary entries without requiring authentication.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Android Open Source Project (AOSP) UserDictionary Provider
No auth needed
Prerequisites: Android device with vulnerable UserDictionary Provider · Malicious app with storage permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.8
EPSS 0.0020
EPSS Percentile 9.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-269
Status published
Products (7)
google/android 6.0
google/android 6.0.1
google/android 7.0
google/android 7.1.1
google/android 7.1.2
google/android 8.0
google/android 8.1
Published Jan 17, 2025
Tracked Since Feb 18, 2026