Details of VAR-201608-0380

ID

VAR-201608-0380

CVE

CVE-2014-9874

TITLE

plural Nexus Run on device Android of Qualcomm Component buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-004218

DESCRIPTION

Buffer overflow in the Qualcomm components in Android before 2016-08-05 on Nexus 5, 5X, 6P, and 7 (2013) devices allows attackers to gain privileges via a crafted application, related to arch/arm/mach-msm/qdsp6v2/audio_utils.c and sound/soc/msm/qdsp6v2/q6asm.c, aka Android internal bug 28751152 and Qualcomm internal bug CR563086. AndroidonNexus is a high-end mobile phone series powered by Google's original Android system. Google Nexus is prone to multiple privilege escalation vulnerabilities. Attackers can exploit these issues to execute arbitrary code with elevated privileges within the context of the kernel. These issues are being tracked by Android Bug IDs A-28768146, A-28747998, A-28748271, A-28747684, A-28749629, A-28749721, A-28749728, A-28749743, A-28749803, A-28750155, A-28750726, A-28751152, A-28767589, A-28767796, A-28768281, A-28769208, A-28769221, A-28769352, A-28769368, A-28769546, A-28769912, A-28769920, A-28769959, A-28815575, A-28804057, A-28803642, A-28803645, A-28803962, A-28804030, A-28398884, A-28813987, A-28814502, A-28814652, A-28815158, A-28749283, and A-28770207

Trust: 2.52

sources: NVD: CVE-2014-9874 // JVNDB: JVNDB-2016-004218 // CNVD: CNVD-2016-06283 // BID: 92219 // VULMON: CVE-2014-9874

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-06283

AFFECTED PRODUCTS

vendor:	google	model:	android	scope:	lte	version:	6.0.1	Trust: 1.0
vendor:	google	model:	android	scope:	eq	version:	2016-08-05	Trust: 0.8
vendor:	google	model:	android	scope:	eq	version:	5<2016-08-05	Trust: 0.6
vendor:	google	model:	android	scope:	eq	version:	7(2013)<2016-08-05	Trust: 0.6
vendor:	google	model:	android (on nexus devices	scope:	eq	version:	6x)<2016-08-05	Trust: 0.6
vendor:	google	model:	android (on nexus devices	scope:	eq	version:	5x)<2016-08-05	Trust: 0.6
vendor:	google	model:	android	scope:	eq	version:	6.0.1	Trust: 0.6
vendor:	google	model:	nexus	scope:	eq	version:	7	Trust: 0.3
vendor:	google	model:	nexus 6p	scope:	-	version:	-	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	6	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	5x	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	5	Trust: 0.3

sources: CNVD: CNVD-2016-06283 // BID: 92219 // JVNDB: JVNDB-2016-004218 // CNNVD: CNNVD-201608-117 // NVD: CVE-2014-9874

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-9874
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-9874
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-06283
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201608-117
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2014-9874
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-9874
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2016-06283
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2014-9874
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-06283 // VULMON: CVE-2014-9874 // JVNDB: JVNDB-2016-004218 // CNNVD: CNNVD-201608-117 // NVD: CVE-2014-9874

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2016-004218 // NVD: CVE-2014-9874

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-117

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201608-117

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004218

PATCH

title:	Android Security Bulletin-August 2016	url:	http://source.android.com/security/bulletin/2016-08-01.html	Trust: 0.8
title:	Asoc:msm:Added Buffer overflow check	url:	https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=56ff68b1f93eaf22e5e0284648fd862dc08c9236	Trust: 0.8
title:	AndroidonNexusdevices buffer overflow vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/80383	Trust: 0.6
title:	Android on Nexus Qualcomm Fixes for component buffer overflow vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63510	Trust: 0.6
title:	Android Security Bulletins: Android Security Bulletin—August 2016	url:	https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=1c52474e34daae48915f8b4129072a86	Trust: 0.1

sources: CNVD: CNVD-2016-06283 // VULMON: CVE-2014-9874 // JVNDB: JVNDB-2016-004218 // CNNVD: CNNVD-201608-117

EXTERNAL IDS

db:	NVD	id:	CVE-2014-9874	Trust: 3.4
db:	BID	id:	92219	Trust: 1.4
db:	JVNDB	id:	JVNDB-2016-004218	Trust: 0.8
db:	CNVD	id:	CNVD-2016-06283	Trust: 0.6
db:	CNNVD	id:	CNNVD-201608-117	Trust: 0.6
db:	VULMON	id:	CVE-2014-9874	Trust: 0.1

sources: CNVD: CNVD-2016-06283 // VULMON: CVE-2014-9874 // BID: 92219 // JVNDB: JVNDB-2016-004218 // CNNVD: CNNVD-201608-117 // NVD: CVE-2014-9874

REFERENCES

url:	https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=56ff68b1f93eaf22e5e0284648fd862dc08c9236	Trust: 2.3
url:	http://source.android.com/security/bulletin/2016-08-01.html	Trust: 2.1
url:	http://www.securityfocus.com/bid/92219	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9874	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9874	Trust: 0.8
url:	http://code.google.com/android/	Trust: 0.3
url:	https://developers.google.com/android/nexus/images#mantaray	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2016-06283 // VULMON: CVE-2014-9874 // BID: 92219 // JVNDB: JVNDB-2016-004218 // CNNVD: CNNVD-201608-117 // NVD: CVE-2014-9874

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 92219

SOURCES

db:	CNVD	id:	CNVD-2016-06283
db:	VULMON	id:	CVE-2014-9874
db:	BID	id:	92219
db:	JVNDB	id:	JVNDB-2016-004218
db:	CNNVD	id:	CNNVD-201608-117
db:	NVD	id:	CVE-2014-9874

LAST UPDATE DATE

2025-04-12T22:57:52.741000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-06283	date:	2016-08-12T00:00:00
db:	VULMON	id:	CVE-2014-9874	date:	2016-11-28T00:00:00
db:	BID	id:	92219	date:	2016-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2016-004218	date:	2016-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201608-117	date:	2016-08-09T00:00:00
db:	NVD	id:	CVE-2014-9874	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-06283	date:	2016-08-12T00:00:00
db:	VULMON	id:	CVE-2014-9874	date:	2016-08-06T00:00:00
db:	BID	id:	92219	date:	2016-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2016-004218	date:	2016-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201608-117	date:	2016-08-09T00:00:00
db:	NVD	id:	CVE-2014-9874	date:	2016-08-06T10:59:15.540