{"api_version":"1","generated_at":"2026-05-08T07:40:33+00:00","cve":"CVE-2018-9565","urls":{"html":"https://cve.report/CVE-2018-9565","api":"https://cve.report/api/cve/CVE-2018-9565.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-9565","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-9565"},"summary":{"title":"CVE-2018-9565","description":"In readBytes of xltdecwbxml.c, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-16680558.","state":"PUBLIC","assigner":"security@android.com","published_at":"2018-12-06 14:29:00","updated_at":"2020-08-24 17:37:00"},"problem_types":["CWE-125","CWE-190"],"metrics":[],"references":[{"url":"https://source.android.com/security/bulletin/2018-12-01","name":"https://source.android.com/security/bulletin/2018-12-01","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Android Security Bulletin—December 2018  |  Android Open Source Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/106065","name":"106065","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Google Android System Component CVE-2018-9565 Information Disclosure Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-9565","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9565","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"9565","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"9565","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@android.com","ID":"CVE-2018-9565","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Android","version":{"version_data":[{"version_value":"Android-16680558"}]}}]},"vendor_name":"Google Inc."}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In readBytes of xltdecwbxml.c, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-16680558."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information disclosure"}]}]},"references":{"reference_data":[{"name":"106065","refsource":"BID","url":"http://www.securityfocus.com/bid/106065"},{"name":"https://source.android.com/security/bulletin/2018-12-01","refsource":"CONFIRM","url":"https://source.android.com/security/bulletin/2018-12-01"}]}},"nvd":{"publishedDate":"2018-12-06 14:29:00","lastModifiedDate":"2020-08-24 17:37:00","problem_types":["CWE-125","CWE-190"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"9565","Ordinal":"125979","Title":"CVE-2018-9565","CVE":"CVE-2018-9565","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"9565","Ordinal":"1","NoteData":"In readBytes of xltdecwbxml.c, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-16680558.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"9565","Ordinal":"2","NoteData":"2018-12-06","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"9565","Ordinal":"3","NoteData":"2018-12-07","Type":"Other","Title":"Modified"}]}}}