CVE-2018-9387

High

Published: 18 January 2025

Published

18 January 2025

Modified

10 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-9387 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and correction of the specific integer overflow flaw in mnh-sm.c that causes the heap overflow.

SI-16 Memory Protection good match

prevent

Provides memory protection mechanisms such as non-executable heaps and address randomization to block exploitation of the heap overflow for privilege escalation.

SI-10 Information Input Validation partial match

prevent

Mandates validation of inputs to functions in mnh-sm.c to avert integer overflows triggered by local attacker-controlled data.

NVD Description

In multiple functions of mnh-sm.c, there is a possible way to trigger a heap overflow due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

exploitation.

Deeper analysisAI

CVE-2018-9387 is a heap overflow vulnerability stemming from an integer overflow in multiple functions within mnh-sm.c. This issue affects Android Pixel devices, as documented in the relevant security bulletin.

A local attacker with low privileges (PR:L) can exploit the vulnerability with low attack complexity and no user interaction required. Exploitation enables local escalation of privilege without needing additional execution privileges, resulting in high impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The root cause is classified under CWE-120.

The Android Pixel security bulletin from June 2018, available at https://source.android.com/security/bulletin/pixel/2018-06-01, details patches and mitigation steps for addressing this vulnerability in affected devices.

Details

CWE(s): CWE-120

Affected Products

google

android

all versions

CVEs Like This One

CVE-2025-48611Same product: Google Android

CVE-2024-47032Same product: Google Android

CVE-2026-0110Same product: Google Android

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2025-36897Same product: Google Android

CVE-2026-0020Same product: Google Android

CVE-2026-0109Same product: Google Android

CVE-2018-9382Same product: Google Android

References

https://source.android.com/security/bulletin/pixel/2018-06-01
Vendor Advisory · security@android.com