CVE-2018-9387
📋 TL;DR
CVE-2018-9387 is an integer overflow vulnerability in Android's mnh-sm.c driver that can trigger a heap overflow, allowing local privilege escalation without user interaction. This affects Android devices, particularly Google Pixel phones, enabling attackers to gain elevated system privileges from a standard user context.
💻 Affected Systems
- Google Pixel
- Google Pixel XL
- Google Pixel 2
- Google Pixel 2 XL
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise with root/system-level access, allowing installation of persistent malware, data theft, and bypassing all security controls.
Likely Case
Local privilege escalation where a malicious app gains elevated permissions to access sensitive data or system functions normally restricted.
If Mitigated
Limited impact if devices are fully patched and have additional security controls like SELinux enforcing mode and app sandboxing.
🎯 Exploit Status
Exploitation requires understanding of kernel heap manipulation and driver interaction. No user interaction needed but requires local access or malicious app installation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android security patch level 2018-06-05 or later
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2018-06-01
Restart Required: Yes
Instructions:
1. Check current Android security patch level in Settings > System > About phone. 2. If patch level is before 2018-06-05, update via Settings > System > System update. 3. Reboot device after update completes.
🔧 Temporary Workarounds
Disable unnecessary kernel modules
Android with root accessUnload or blacklist the mnh-sm driver if not required for device functionality
rmmod mnh_sm
echo 'blacklist mnh_sm' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict physical access to devices and implement strict app installation policies
- Use mobile device management (MDM) solutions to monitor for suspicious activity and enforce security policies
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level: Settings > System > About phone > Android security patch level. If date is before 2018-06-05, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify patch level shows 2018-06-05 or later. Check kernel version and ensure mnh-sm driver is patched or not loaded.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- Unexpected driver crashes in dmesg
- SELinux denials related to mnh-sm driver
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
Search for kernel panic events, unexpected reboots, or privilege escalation attempts in Android device logs