Login Sign Up

CVE-2015-9195

9.8 CRITICAL
Buffer Overflow

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code on affected Android devices through a buffer overflow in Qualcomm's QTEE syscall handler. It affects Android devices with specific Qualcomm Snapdragon chipsets before the April 2018 security patch. Attackers can potentially gain full control of the device.

💻 Affected Systems

Products:
  • Android devices with Qualcomm Snapdragon MDM9625, MDM9635M, MDM9650, MDM9655, SD 400, SD 410/12, SD 615/16/SD 415, SD 617, SD 650/52, SD 808, SD 810, SDX20 chipsets
Versions: Android versions before April 5, 2018 security patch level
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with specific Qualcomm chipsets; other Android devices are not vulnerable.

📦 What is this software?

Mdm9625 Firmware by Qualcomm

View all CVEs affecting Mdm9625 Firmware →

Mdm9635m Firmware by Qualcomm

View all CVEs affecting Mdm9635m Firmware →

Mdm9650 Firmware by Qualcomm

View all CVEs affecting Mdm9650 Firmware →

Mdm9655 Firmware by Qualcomm

View all CVEs affecting Mdm9655 Firmware →

Sd 400 Firmware by Qualcomm

View all CVEs affecting Sd 400 Firmware →

Sd 410 Firmware by Qualcomm

View all CVEs affecting Sd 410 Firmware →

Sd 412 Firmware by Qualcomm

View all CVEs affecting Sd 412 Firmware →

Sd 415 Firmware by Qualcomm

View all CVEs affecting Sd 415 Firmware →

Sd 615 Firmware by Qualcomm

View all CVEs affecting Sd 615 Firmware →

Sd 616 Firmware by Qualcomm

View all CVEs affecting Sd 616 Firmware →

Sd 617 Firmware by Qualcomm

View all CVEs affecting Sd 617 Firmware →

Sd 650 Firmware by Qualcomm

View all CVEs affecting Sd 650 Firmware →

Sd 652 Firmware by Qualcomm

View all CVEs affecting Sd 652 Firmware →

Sd 808 Firmware by Qualcomm

View all CVEs affecting Sd 808 Firmware →

Sd 810 Firmware by Qualcomm

View all CVEs affecting Sd 810 Firmware →

Sdx20 Firmware by Qualcomm

View all CVEs affecting Sdx20 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing remote code execution, data theft, persistent backdoor installation, and device takeover.

🟠

Likely Case

Local privilege escalation allowing malware to gain root access and bypass security controls.

🟢

If Mitigated

No impact if patched; limited impact if device has strong app sandboxing and exploit mitigations.

🌐 Internet-Facing: MEDIUM - Requires local access or malicious app installation, but could be combined with other exploits.
🏢 Internal Only: HIGH - Once an attacker gains local access through phishing or malicious apps, they can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access or ability to execute code on device; buffer overflow exploitation requires specific knowledge of QTEE syscall handler.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level April 5, 2018 or later

Vendor Advisory: https://source.android.com/security/bulletin/2018-04-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install April 2018 or later security patch. 3. Restart device. 4. Verify patch installation in Settings > About phone > Android security patch level.

🔧 Temporary Workarounds

Disable unnecessary system components

android

Reduce attack surface by disabling unused system services and features

🧯 If You Can't Patch

  • Isolate affected devices from critical networks and sensitive data
  • Implement strict app installation policies and mobile device management controls

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If date is before April 2018, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows April 2018 or later date.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • QTEE syscall handler crash logs
  • Unexpected privilege escalation attempts

Network Indicators:

  • Unusual outbound connections from system processes
  • Suspicious network activity from elevated privileges

SIEM Query:

source="android_logs" AND ("QTEE" OR "syscall" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2015-9195
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: April 18, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9195, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)