CVE-2015-9190

Q: What is the severity of CVE-2015-9190?

CVE-2015-9190 has a CVSS score of 9.8 (CRITICAL). This CVE describes an integer overflow vulnerability in Qualcomm Snapdragon bootloader code that allows bypassing memory protection checks. When exploited, it can lead to secondary bootloader (SBL) memory corruption, potentially enabling arbitrary code execution. Affected devices include Android smartphones and wearables with specific Qualcomm chipsets before April 2018 security patches.

9.8 CRITICAL

📋 TL;DR

This CVE describes an integer overflow vulnerability in Qualcomm Snapdragon bootloader code that allows bypassing memory protection checks. When exploited, it can lead to secondary bootloader (SBL) memory corruption, potentially enabling arbitrary code execution. Affected devices include Android smartphones and wearables with specific Qualcomm chipsets before April 2018 security patches.

💻 Affected Systems

Products:

Android smartphones
Android wearables
Qualcomm-based IoT devices

Versions: Android versions before April 2018 security patch level (2018-04-05)

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with specific Qualcomm Snapdragon chipsets: IPQ4019, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 600, SD 615/16/SD 415, SD 808, and SD 810.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent root access, bootloader unlocking, or installation of malicious firmware that survives factory resets.

🟠

Likely Case

Local privilege escalation allowing attackers to gain elevated permissions, bypass security mechanisms, or install persistent malware.

🟢

If Mitigated

Limited impact with proper security controls; device remains functional but vulnerable to local attacks requiring physical access or malware foothold.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring execution on the device, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Requires local access or malware execution; could be exploited by malicious apps or physical attackers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires understanding of bootloader internals and memory layout; likely requires physical access or significant local privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level 2018-04-05 or later

Vendor Advisory: https://source.android.com/security/bulletin/2018-04-01

Restart Required: Yes

Instructions:

1. Check device security patch level in Settings > About phone > Android security patch level. 2. If before April 2018, update device through Settings > System > System update. 3. For custom ROMs, apply Qualcomm-provided patches to bootloader source code. 4. Reboot device after update.

🔧 Temporary Workarounds

Disable bootloader debugging

android

Prevents unauthorized bootloader access through debugging interfaces

fastboot oem lock
fastboot flashing lock

🧯 If You Can't Patch

Restrict physical access to devices and implement strict app installation policies
Use mobile device management (MDM) solutions to monitor for suspicious bootloader activity

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level: Settings > About phone > Android security patch level. If date is before April 2018, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows April 2018 or later. Check that bootloader remains locked and secure boot is enabled.

📡 Detection & Monitoring

Log Indicators:

Bootloader debug messages indicating memory corruption
Kernel panic during boot
Unexpected bootloader unlock events

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Device logs showing bootloader errors or unexpected reboots on Android devices with vulnerable chipsets

📊 Metadata

CVE ID: CVE-2015-9190

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: April 18, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory
http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ipq4019 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9615 Firmware by Qualcomm

Mdm9625 Firmware by Qualcomm

Mdm9635m Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Sd 205 Firmware by Qualcomm

Sd 210 Firmware by Qualcomm

Sd 212 Firmware by Qualcomm

Sd 400 Firmware by Qualcomm

Sd 410 Firmware by Qualcomm

Sd 412 Firmware by Qualcomm

Sd 415 Firmware by Qualcomm

Sd 600 Firmware by Qualcomm

Sd 615 Firmware by Qualcomm

Sd 616 Firmware by Qualcomm

Sd 808 Firmware by Qualcomm

Sd 810 Firmware by Qualcomm