CVE-2018-9490

HIGH

Google Android - Remote Code Execution

Title source: rule

Description

In CollectValuesOrEntriesImpl of elements.cc, there is possible remote code execution due to type confusion. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-111274046

References (4)

[Patch] https://android.googlesource.com/platform/external/chromium-libpac/+/948d4753664cc4e6b33cc3de634ac8fd5f781382%2C

[Vendor Advisory] https://source.android.com/security/bulletin/2018-10-01%2C

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/105484

[Patch, Third Party Advisory] https://android.googlesource.com/platform/external/v8/+/a24543157ae2cdd25da43e20f4e48a07481e6ceb

Scores

CVSS v3 7.8

EPSS 0.0042

EPSS Percentile 61.8%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-704

Status published

Products (6)

google/android 7.0

google/android 7.1.1

google/android 7.1.2

google/android 8.0

google/android 8.1

google/android 9.0

Published Oct 02, 2018

Tracked Since Feb 18, 2026