Security readout for executives and security teams
Plain-English summary
This Android Bluetooth service flaw could let a local attacker read sensitive memory from affected devices. It does not require user interaction or extra privileges, but the attacker needs local attack capability. Treat it as a device hygiene and patch-level issue rather than an internet-exposed emergency.
Executive priority
Prioritize remediation for managed Android devices handling sensitive data, especially unsupported legacy devices. This is moderate risk because exploitation is local, but confidentiality impact is high if an affected device is compromised.
Technical view
The issue is an out-of-bounds read in intr_data_copy_cb of btif_hd.cc caused by integer overflow. It maps to CWE-125 and CWE-190 and is scored CVSS 3.1 6.2 with local attack vector, low complexity, no privileges, no user interaction, and high confidentiality impact.
Likely exposure
Exposure is limited to Google Android versions 8, 8.1, and 9 as listed in the source bundle. Systems outside those versions are not shown as affected in the provided data.
Exploitation context
The source bundle does not report active exploitation, and KEV status is false. The CVSS vector indicates local exploitation with no privileges or user interaction, affecting confidentiality only.
Researcher notes
The provided data names the vulnerable function and weakness classes but does not include patch commit details, exploit observations, or OEM-specific status. Avoid assuming impact beyond Android 8, 8.1, and 9 without vendor confirmation.
Mitigation direction
- Inventory Android 8, 8.1, and 9 devices across managed and unmanaged fleets.
- Check Android and OEM guidance tied to the September 2018 security bulletin.
- Apply vendor-provided Android security updates where available.
- Retire or isolate devices that cannot receive applicable vendor fixes.
Validation and detection
- Confirm each device model, Android version, and security patch level.
- Compare device patch levels against Android and OEM September 2018 bulletin guidance.
- Use MDM or EDR inventory to flag unsupported Android 8, 8.1, and 9 devices.
- Document exceptions where vendor patch status cannot be confirmed.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-190: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2018-9482 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.2 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N2.53.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.2MediumVector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://source.android.com/security/bulletin/2018-09-01CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Integer Overflow or Wraparound
Integer Overflow or Wraparound represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
