PatchSiren

PatchSiren cyber security CVE debrief

CVE-2014-9910 Google CVE debrief

CVE-2014-9910 is a High-severity elevation-of-privilege issue affecting Android’s Broadcom Wi‑Fi driver. According to the CVE record, a local malicious application could potentially execute arbitrary code in the kernel context, but the issue is rated High because exploitation first requires compromising a privileged process. NVD maps the issue to Android versions up to 7.1.0, and Google’s Android security bulletin is the primary vendor reference.

Vendor
Google
Product
CVE-2014-9910
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Android platform defenders, OEM security teams, mobile device fleet owners, and anyone responsible for devices running Android builds that include the Broadcom Wi‑Fi driver. Kernel-level impact makes this especially important for enterprise-managed phones and tablets.

Technical summary

The vulnerability is described as an elevation of privilege in the Broadcom Wi‑Fi driver on Android. The impact is kernel-context arbitrary code execution from a local malicious application, but the path to exploitation depends on first compromising a privileged process. NVD classifies the weakness under CWE-264 and provides a CVSS 3.0 vector of AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, high attack complexity, and user interaction requirements. The NVD CPE criteria indicate affected Android versions through 7.1.0.

Defensive priority

High. Kernel-context impact warrants prompt review even though exploitation is not remote and requires additional conditions. Prioritize patch verification on Android devices and confirmation that vendor security updates covering this issue are deployed.

Recommended defensive actions

  • Confirm whether managed Android devices are on builds at or below the affected range identified by NVD (through Android 7.1.0).
  • Verify installation of the vendor security update referenced in Google’s Android Security Bulletin for 2016-12-01.
  • Treat devices with Broadcom Wi‑Fi driver exposure as higher priority for remediation and inventory them accordingly.
  • Apply standard mobile hardening to reduce the chance of privileged-process compromise, since the CVE description says exploitation depends on that precondition.
  • Monitor for vendor firmware, OS, or OEM patch advisories that explicitly mention this Android kernel-driver issue.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and the linked vendor/security references. The key facts used here are: Android product scope; Broadcom Wi‑Fi driver involvement; potential kernel-context code execution; the stated prerequisite of compromising a privileged process; NVD’s Android CPE range through 7.1.0; CVSS vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H; and the Google Android Security Bulletin reference dated 2016-12-01. The CVE published date used for timing context is 2017-01-18, and the NVD modified timestamp is not treated as the issue date.

Official resources

CVE published: 2017-01-18T17:59:00.183Z. This debrief uses that publication date for timing context. The later NVD modified timestamp is metadata and not the vulnerability’s disclosure date.