Cyber Resilience

CVE-2018-9375

HighLPE

Published: 17 January 2025

Published
17 January 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-9375 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2018-9375 is a vulnerability in multiple functions of UserDictionaryProvider.java within Android, caused by a confused deputy issue. This flaw allows unauthorized addition and deletion of words in the user dictionary, potentially leading to local escalation of privilege. No additional execution privileges or user interaction are required for exploitation, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and associated CWE-269 (Improper Privilege Management).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of need for user interaction. Successful exploitation enables escalation of privileges, resulting in high impacts on confidentiality, integrity, and availability.

The Android security bulletin for Pixel devices details patches and mitigations at https://source.android.com/security/bulletin/pixel/2018-06-01.

EU & UK References

Vulnerability details

In multiple functions of UserDictionaryProvider.java, there is a possible way to add and delete words in the user dictionary due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…

more

is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via exploitation of improper privilege management (confused deputy) in Android component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0023Same product: Google Android
CVE-2025-48645Same product: Google Android
CVE-2026-0029Same product: Google Android
CVE-2024-49742Same product: Google Android
CVE-2025-48613Same product: Google Android
CVE-2026-0032Same product: Google Android
CVE-2024-56192Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49738Same product: Google Android

Affected Assets

google
android
6.0, 6.0.1, 7.0, 7.1.1, 7.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CWE-269 improper privilege management by ensuring the UserDictionaryProvider operates with least privilege, preventing local escalation via unauthorized dictionary modifications.

prevent

Enforces approved authorizations in UserDictionaryProvider functions to block confused deputy exploitation allowing low-privilege addition/deletion of dictionary words.

prevent

Implements a reference monitor to mediate all access to the user dictionary, addressing the confused deputy flaw in provider functions.

References