CVE-2019-5228
7.8
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 5.9
Source: NVD
Description
Certain detection module of P30, P30 Pro, Honor V20 smartphone whith Versions earlier than ELLE-AL00B 9.1.0.193(C00E190R1P21), Versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R1P12), Versions earlier than Princeton-AL10B 9.1.0.233(C00E233R4P3) have a race condition vulnerability. The system does not lock certain function properly, when the function is called by multiple processes could cause out of bound write. An attacker tricks the user into installing a malicious application, successful exploit could cause malicious code execution.
Affected (3)
Products: Huawei: P30 Firmware, P30 Pro Firmware, Honor V20 Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before elle-al00b_9.1.0.193\(c00e190r1p21\) |
| Running on/with | Platform Versions |
|---|---|
Huawei P30 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Before vogue-al00a_9.1.0.193\(c00e190r1p12\) |
| Running on/with | Platform Versions |
|---|---|
Huawei P30 Pro | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Before princeton-al10b_9.1.0.233\(c00e233r4p3\) |
| Running on/with | Platform Versions |
|---|---|
Huawei Honor V20 | All versions |
Related CWEs
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CWE-787
Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.
References (2)
Source: psirt@huawei.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.