CVE-2014-9909 Google CVE debrief

Who should care

Android OEMs, device fleet defenders, and patch teams responsible for builds that include the affected Broadcom Wi‑Fi driver path, especially Android versions covered by the NVD range through 7.1.0.

Technical summary

The NVD record maps CVE-2014-9909 to Android systems through version 7.1.0 and classifies it as a local, high-complexity issue with user interaction required (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The supplied description attributes the flaw to the Broadcom Wi‑Fi driver and states it can enable arbitrary code execution in kernel context.

Defensive priority

High

Recommended defensive actions

• Verify whether managed Android devices are on affected versions and whether the Broadcom Wi‑Fi driver fix is present.
• Apply the relevant Android Security Bulletin/OEM update that addresses A-31676542.
• Prioritize remediation for exposed, high-value, and fleet-managed devices that cannot easily be reimaged.
• Remove or retire unsupported devices that will not receive vendor security updates.
• Review for abnormal Wi‑Fi driver crashes, privilege-escalation alerts, or unexpected kernel instability on affected builds.

Evidence notes

Source evidence comes from the official CVE record, the NVD detail page, and the Android Security Bulletin reference linked in the NVD metadata. The NVD metadata includes CVSS 3.0 vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, CWE-264, and affected Android CPE criteria through version 7.1.0. Timing context: the CVE was published on 2017-01-18 and the supplied NVD record was modified on 2026-05-13; that later timestamp is a metadata update, not the original disclosure date.

Official resources