CVE-2018-9567

Name of the Vulnerable Software and Affected Versions Android kernel

Description The issue is related to a bug in the verified boot process on Pixel devices, where the same certificate fingerprint is shown despite the use of different signing keys. This could lead to local escalation of privilege if the certificate fingerprints are relied upon to determine the OS version, requiring System execution privileges. No user interaction is needed for exploitation. The vulnerability is also associated with errors in the certificate authentication procedure of the HTC Bootloader component in the Android operating system.

Recommendations For Android kernel, consider implementing additional verification measures to ensure the authenticity of the OS version, rather than relying solely on certificate fingerprints, until a patch is available. As a temporary workaround, restrict access to System execution privileges to minimize the risk of exploitation.