CVE-2011-1823
Published: 09 June 2011
Summary
CVE-2011-1823 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
The vulnerability is an integer overflow (CWE-190) in the vold volume manager daemon on Android 3.0 and 2.x releases prior to 2.3.4. It arises because vold trusts all messages received over a PF_NETLINK socket and performs a maximum-only bounds check on a signed integer index inside DirectVolume::handlePartitionAdded; a negative value bypasses the check and produces memory corruption.
Local users on an affected device can exploit the flaw by sending a crafted netlink message, achieving arbitrary code execution and root privileges. Publicly demonstrated proof-of-concept code such as Gingerbreak implements this attack vector.
Upstream fixes appear in the referenced Android platform commits to system/vold, system/core, and system/netd; these changes add proper validation of netlink message contents and index values. Devices must be updated to Android 2.3.4 or later, or receive the corresponding vendor patches, to close the issue.
The vulnerability saw immediate real-world exploitation through publicly released rooting tools shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2011-1821
Vulnerability details
The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a…
more
maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.
- CWE(s)
- KEV Date Added
- 08 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of netlink messages and index values to block the negative-index bypass that produces memory corruption in handlePartitionAdded.
Enforces access-control decisions inside system daemons so that untrusted PF_NETLINK messages cannot arbitrarily modify volume structures or escalate privileges.
Applies memory-protection mechanisms that limit the exploitability of the integer-overflow-induced corruption demonstrated by Gingerbreak.