Cyber Resilience

CVE-2011-1823

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 09 June 2011

Published
09 June 2011
Modified
21 April 2026
KEV Added
08 September 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3834 97.3th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2011-1823 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

The vulnerability is an integer overflow (CWE-190) in the vold volume manager daemon on Android 3.0 and 2.x releases prior to 2.3.4. It arises because vold trusts all messages received over a PF_NETLINK socket and performs a maximum-only bounds check on a signed integer index inside DirectVolume::handlePartitionAdded; a negative value bypasses the check and produces memory corruption.

Local users on an affected device can exploit the flaw by sending a crafted netlink message, achieving arbitrary code execution and root privileges. Publicly demonstrated proof-of-concept code such as Gingerbreak implements this attack vector.

Upstream fixes appear in the referenced Android platform commits to system/vold, system/core, and system/netd; these changes add proper validation of netlink message contents and index values. Devices must be updated to Android 2.3.4 or later, or receive the corresponding vendor patches, to close the issue.

The vulnerability saw immediate real-world exploitation through publicly released rooting tools shortly after disclosure.

EU & UK References

Vulnerability details

The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a…

more

maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.

CWE(s)
KEV Date Added
08 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
3.0 · 2.0 — 2.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of netlink messages and index values to block the negative-index bypass that produces memory corruption in handlePartitionAdded.

prevent

Enforces access-control decisions inside system daemons so that untrusted PF_NETLINK messages cannot arbitrarily modify volume structures or escalate privileges.

prevent

Applies memory-protection mechanisms that limit the exploitability of the integer-overflow-induced corruption demonstrated by Gingerbreak.

References