LiveActive security incident?Get immediate response
CVE Record

CVE-2018-9480: In bta_hd_get_report_act of bta_hd_act.cc, there is a possible out-of-bounds read due to improper input val...

In bta_hd_get_report_act of bta_hd_act.cc, there is a possible out-of-bounds read due to improper input validation. This could lead to remote information disclosure in the Bluetooth service with no additional execution privileges needed. User interaction is not needed for exploitation.

MediumCVSS 6.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2018-9480 is an Android Bluetooth service flaw that can expose information to a nearby attacker. It affects Android 8, 8.1, and 9 according to the provided CVE data. No user interaction or privileges are required, but the attack vector is adjacent, meaning practical exposure depends on Bluetooth proximity.

Executive priority

Treat this as a fleet hygiene and legacy Android risk, not an internet-scale emergency. Prioritize unsupported or Bluetooth-enabled Android 8, 8.1, and 9 devices in sensitive environments.

Technical view

The issue is an out-of-bounds read in bta_hd_get_report_act in bta_hd_act.cc caused by improper input validation. The CVSS 3.1 score is 6.5 with high confidentiality impact, no integrity or availability impact, and adjacent-network access. The weakness is mapped to CWE-125.

Likely exposure

Organizations are most likely exposed through legacy Android 8, 8.1, or 9 devices that still use affected Bluetooth components and lack the relevant Android security fixes.

Exploitation context

The provided sources do not show CISA KEV listing or confirmed active exploitation. Exploitation is described as remote within adjacent Bluetooth range, requiring no privileges and no user interaction.

Researcher notes

Evidence is limited to CVE metadata and the Android security bulletin reference. The affected code path is in Android Bluetooth handling, with confidentiality impact only. No exploit details, public exploitation claim, or additional affected products are provided in the source bundle.

Mitigation direction

  • Identify Android 8, 8.1, and 9 devices in fleet inventory.
  • Check vendor or OEM guidance tied to the Android September 2018 bulletin.
  • Update affected devices to vendor builds containing the relevant Android security fixes.
  • Retire unsupported devices that cannot receive the applicable security update.
  • Reduce unnecessary Bluetooth use on legacy devices until patched or replaced.

Validation and detection

  • Confirm device Android version and security patch level through MDM or asset records.
  • Map affected assets against Android 8, 8.1, and 9 exposure.
  • Verify OEM firmware includes fixes from the referenced Android bulletin.
  • Review whether Bluetooth is enabled on legacy or unmanaged devices.
  • Document exceptions for devices that cannot be updated.
Prepared
Confidence
high
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-125: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-9480 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.5CVSS 3.1MediumCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N2.83.6Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

6.5Medium
CVSS 3.1 vector shape for CVE-2018-9480Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
GoogleAndroid8, 8.1, 9unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-125 · source CWE mapping

Out-of-bounds Read

Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.