Login Sign Up

CVE-2018-9423

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in Android's HEVC video decoder allows an out-of-bounds read when parsing malformed video files. Attackers can cause denial of service by tricking users into opening specially crafted video content. This affects Android devices using the vulnerable HEVC decoder component.

💻 Affected Systems

Products:
  • Android OS
Versions: Android 8.0 and 8.1 (Oreo)
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the ihevcd_parse_slice_header function in HEVC video decoder. Pixel devices were specifically mentioned in the bulletin.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Device crashes or becomes unresponsive when processing malicious video content, requiring reboot.

🟠

Likely Case

App crashes when playing malicious video, potentially causing data loss in unsaved work.

🟢

If Mitigated

App sandboxing prevents privilege escalation, limiting impact to the affected app only.

🌐 Internet-Facing: MEDIUM - Requires user interaction but can be triggered via web content or downloaded files.
🏢 Internal Only: LOW - Requires user interaction and specific video file processing.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction to open malicious video file. No privilege escalation possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level 2018-07-01 or later

Vendor Advisory: https://source.android.com/docs/security/bulletin/pixel/2018-07-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > Advanced > System update. 2. Install Android Security Patch Level 2018-07-01 or later. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable automatic media processing

android

Prevent automatic parsing of video files in untrusted apps

Use trusted video players only

android

Configure system to use known secure video player applications

🧯 If You Can't Patch

  • Restrict video file processing to trusted applications only
  • Implement network filtering to block suspicious video downloads

🔍 How to Verify

Check if Vulnerable:

Check Android version and security patch level in Settings > About phone > Android version

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Security Patch Level shows 2018-07-01 or later in Settings > About phone

📡 Detection & Monitoring

Log Indicators:

  • App crashes when processing video files
  • Kernel panic logs related to media processing

Network Indicators:

  • Unusual video file downloads from untrusted sources

SIEM Query:

app_crash AND (process_name:media* OR process_name:video*) AND android_version:8.*

📊 Metadata

CVE ID: CVE-2018-9423
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: December 2, 2024
Last Updated: December 18, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-9423, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)