xref: /docs/source.android.com/en/security/bulletin/2016-04-02.html

<html devsite>
  <head>
    <title>Nexus Security BulletinApril 2016</title>
    <meta name="project_path" value="/_project.yaml" />
    <meta name="book_path" value="/_book.yaml" />
  </head>
  <body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->



<p><em>Published April 04, 2016 | Updated December 19, 2016</em></p>

<p>We have released a security update to Nexus devices through an over-the-air
(OTA) update as part of our Android Security Bulletin Monthly Release process.
The Nexus firmware images have also been released to the
<a href="https://developers.google.com/android/nexus/images">Google Developer site</a>.
Security Patch Levels of April
02, 2016 or later address these issues (refer to the
<a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a>
for instructions on how to check the security patch level).</p>

<p>Partners were notified about the issues described in the bulletin on March 16,
2016 or earlier. Where applicable, source code patches for these issues have been
released to the Android Open Source Project (AOSP) repository.</p>

<p>The most severe of these issues is a Critical security vulnerability that could
enable remote code execution on an affected device through multiple methods
such as email, web browsing, and MMS when processing media files. The
<a href="/security/overview/updates-resources.html#severity">severity
assessment</a> is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are disabled for development purposes or if successfully bypassed.</p>

<p><a href="/security/advisory/2016-03-18.html">
Android Security Advisory 2016-03-18</a> previously discussed use of
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>
by a rooting application. <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>
is resolved in this update.
There have been no reports of active customer exploitation or abuse of the other
newly reported issues. Refer to the <a href="#mitigations">Mitigations</a> section
for further details on the <a href="/security/enhancements/index.html">
Android security platform protections</a> and service protections such as SafetyNet,
which improve the security of the Android platform.</p>

<h2 id=mitigations>Mitigations</h2>


<p>This is a summary of the mitigations provided by the
<a href="/security/enhancements/index.html">Android security platform</a> and service
protections such as SafetyNet. These capabilities reduce the
likelihood that security vulnerabilities could be successfully exploited on
Android.</p>

<ul>
  <li> Exploitation for many issues on Android is made more difficult by enhancements
in newer versions of the Android platform. We encourage all users to update to
the latest version of Android where possible.
  <li> The Android Security team is actively monitoring for abuse with Verify Apps and
SafetyNet, which will warn the user about detected potentially harmful
applications about to be installed. Device rooting tools are prohibited within
Google Play. To protect users who install applications from outside of Google
Play, Verify Apps is enabled by default and will warn users about known rooting
applications. Verify Apps attempts to identify and block installation of known
malicious applications that exploit a privilege escalation vulnerability. If
such an application has already been installed, Verify Apps will notify the
user and attempt to remove any such applications.
  <li> As appropriate, Google Hangouts and Messenger applications do not automatically
pass media to processes such as mediaserver.
</ul>

<h2 id=acknowledgements>Acknowledgements</h2>


<p>The Android Security team would like to thank these researchers for their
contributions:</p>

<ul>
  <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security
Team: CVE-2016-0834, CVE-2016-0841, CVE-2016-0840, CVE-2016-0839, CVE-2016-0838
  <li> Anestis Bechtsoudis (<a href="https://twitter.com/anestisb">@anestisb</a>)
  of CENSUS S.A.: CVE-2016-0842, CVE-2016-0836, CVE-2016-0835
  <li> Brad Ebinger and Santos Cordon of Google Telecom Team: CVE-2016-0847
  <li> Dominik Schrmann of <a href="https://www.ibr.cs.tu-bs.de">Institute for
  Operating Systems and Computer Networks</a>, TU Braunschweig: CVE-2016-2425
  <li> Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>),
  <a href="http://weibo.com/jfpan">pjf</a>, Jianqiang Zhao
  (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) of IceSword Lab,
  Qihoo 360: CVE-2016-0844
  <li> <a href="mailto:gpiskas (a] gmail.com">George Piskas</a> of <a href="https://www.epfl.ch">
  cole polytechnique fdrale de Lausanne</a>: CVE-2016-2426
  <li> Guang Gong () (<a href="https://twitter.com/oldfresher">@oldfresher</a>)
  of <a href="http://www.360.com/">Qihoo 360 Technology Co.Ltd</a>: CVE-2016-2412, CVE-2016-2416
  <li> James Forshaw of Google Project Zero: CVE-2016-2417, CVE-2016-0846
  <li> Jianqiang Zhao(<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>),
  <a href="http://weibo.com/jfpan">pjf</a>, and Gengjia Chen
  (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>) of IceSword Lab,
  Qihoo 360: CVE-2016-2410, CVE-2016-2411
  <li> Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>)
  and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360: CVE-2016-2409
  <li> Nancy Wang of Vertu Corporation LTD: CVE-2016-0837
  <li> <a href="mailto:nasim (a] zamir.ca">Nasim Zamir</a>: CVE-2016-2409
  <li> Nico Golde (<a href="https://twitter.com/iamnion">@iamnion</a>) of Qualcomm
  Product Security Initiative: CVE-2016-2420, CVE-2016-0849
  <li> Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>)
  of Trend Micro: CVE-2016-2418, CVE-2016-2413, CVE-2016-2419
  <li> Richard Shupak: CVE-2016-2415
  <li> Romain Trouv of
  <a href="https://labs.mwrinfosecurity.com/">MWR Labs</a>: CVE-2016-0850
  <li> Stuart Henderson: CVE-2016-2422
  <li> Vishwath Mohan of Android Security: CVE-2016-2424
  <li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>)
  of Alibaba Inc.: CVE-2016-2414
  <li> Wish Wu (<a href="https://twitter.com/wish_wu">@wish_wu</a>)
  of Trend Micro Inc.: CVE-2016-0843
  <li> <a href="mailto:luc2yj (a] gmail.com">Yeonjoon Lee</a> and
  <a href="mailto:xw7 (a] indiana.edu">Xiaofeng Wang</a> of Indiana University Bloomington,
  <a href="mailto:litongxin1991 (a] gmail.com">Tongxin Li</a> and
  <a href="mailto:hanxinhui (a] pku.edu.cn">Xinhui Han</a> of Peking University: CVE-2016-0848
</ul>

<p>The Android Security team also thanks
<a href="mailto:computernik (a] gmail.com">Yuan-Tsung Lo</a>,
<a href="mailto:vancouverdou (a] gmail.com">Wenke Dou</a>,
Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>),
and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>
and <a href="https://www.zimperium.com/">Zimperium</a>
for their contribution to CVE-2015-1805.</p>

<h2 id=security_vulnerability_details>Security Vulnerability Details</h2>


<p>The sections below contain details for each of the security vulnerabilities
that apply to the 2016-04-02 patch level.
There is a description of the issue, a severity rationale, and a table
with the CVE, associated bug, severity, affected versions, and date reported.
When available, we will link the AOSP commit that addressed the issue to the
bug ID. When multiple changes relate to a single bug, additional AOSP references
are linked to numbers following the bug ID.</p>

<h3 id=remote_code_execution_vulnerability_in_dhcpcd>Remote Code Execution Vulnerability in DHCPCD</h3>


<p>A vulnerability in the Dynamic Host Configuration Protocol service could enable
an attacker to cause memory corruption, which could lead to remote code
execution. This issue is rated as Critical severity due to the possibility of
remote code execution within the context of the DHCP client. The DHCP service
has access to privileges that third-party apps could not normally access.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bugs with AOSP links</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2014-6060</td>
    <td><a href="https://android.googlesource.com/platform/external/dhcpcd/+/38cb7a7feff88d58fb4a565ba7f12cd4469af243">
        ANDROID-15268738</a></td>
    <td>Critical</td>
    <td>4.4.4</td>
    <td>July 30, 2014</td>
 </tr>
 <tr>
    <td>CVE-2014-6060</td>
    <td><a href="https://android.googlesource.com/platform/external/dhcpcd/+/de806dfdb6dd3b9dec5d1d23c9029fb300799cf8">
        ANDROID-16677003</a></td>
    <td>Critical</td>
    <td>4.4.4</td>
    <td>July 30, 2014</td>
 </tr>
 <tr>
    <td>CVE-2016-1503</td>
    <td><a href="https://android.googlesource.com/platform/external/dhcpcd/+/1390ace71179f04a09c300ee8d0300aa69d9db09">
        ANDROID-26461634</a></td>
    <td>Critical</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 4, 2016</td>
 </tr>

</table>


<h3 id=remote_code_execution_vulnerability_in_media_codec>Remote Code Execution Vulnerability in Media Codec</h3>


<p>During media file and data processing of a specially crafted file,
vulnerabilities in a media codec used by mediaserver could allow an attacker to
cause memory corruption and remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as a core part of the operating system,
and there are multiple applications that allow it to be reached with remote
content, most notably MMS and browser playback of media.</p>

<p>This issue is rated as Critical severity due to the possibility of remote code
execution within the context of the mediaserver service. The mediaserver
service has access to audio and video streams, as well as access to privileges
that third-party apps could not normally access.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0834</td>
    <td>ANDROID-26220548*</td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 16, 2015</td>
 </tr>
</table>

<p>* The patch for this issue is not in AOSP. The update is contained in the
latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3>


<p>During media file and data processing of a specially crafted file,
vulnerabilities in mediaserver could allow an attacker to cause memory
corruption and remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as a core part of the operating system,
and there are multiple applications that allow it to be reached with remote
content, most notably MMS and browser playback of media.</p>

<p>This issue is rated as Critical severity due to the possibility of remote code
execution within the context of the mediaserver service. The mediaserver
service has access to audio and video streams, as well as access to privileges
that third-party apps could not normally access.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bugs with AOSP links</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0835</td>
    <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/ba604d336b40fd4bde1622f64d67135bdbd61301">
         ANDROID-26070014</a>
        [<a href="https://android.googlesource.com/platform/external/libmpeg2/+/58a6822d7140137ce957c6d2fc20bae1374186c1">2</a>]
    </td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 6, 2015</td>
 </tr>
 <tr>
    <td>CVE-2016-0836</td>
    <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/8b4ed5a23175b7ffa56eea4678db7287f825e985">
        ANDROID-25812590</a></td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Nov 19, 2015</td>
 </tr>
 <tr>
    <td>CVE-2016-0837</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/7a282fb64fef25349e9d341f102d9cea3bf75baf">
        ANDROID-27208621</a></td>
    <td>Critical</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Feb 11, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-0838</td>
    <td><a href="https://android.googlesource.com/platform/external/sonivox/+/3ac044334c3ff6a61cb4238ff3ddaf17c7efcf49">
        ANDROID-26366256</a>
        [<a href="https://android.googlesource.com/platform/external/sonivox/+/24d7c408c52143bce7b49de82f3913fd8d1219cf">2</a>]</td>
    <td>Critical</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
 <tr>
    <td>CVE-2016-0839</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/ebbb82365172337c6c250c6cac4e326970a9e351">
        ANDROID-25753245</a></td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
 <tr>
    <td>CVE-2016-0840</td>
    <td><a href="https://android.googlesource.com/platform/external/libavc/+/c57fc3703ae2e0d41b1f6580c50015937f2d23c1">
         ANDROID-26399350</a></td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
 <tr>
    <td>CVE-2016-0841</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/3097f364237fb552871f7639d37a7afa4563e252">
        ANDROID-26040840</a></td>
    <td>Critical</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>

</table>


<h3 id=remote_code_execution_vulnerability_in_libstagefright>Remote Code Execution Vulnerability in libstagefright</h3>


<p>During media file and data processing of a specially crafted file,
vulnerabilities in libstagefright could allow an attacker to cause memory
corruption and remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as a core part of the operating system,
and there are multiple applications that allow it to be reached with remote
content, most notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution within the context of the mediaserver service. The mediaserver
service has access to audio and video streams, as well as access to privileges
that third-party apps could not normally access.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0842</td>
    <td><a href="https://android.googlesource.com/platform/external/libavc/+/943323f1d9d3dd5c2634deb26cbe72343ca6b3db">
        ANDROID-25818142</a></td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Nov 23, 2015</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_kernel>Elevation of Privilege Vulnerability in Kernel</h3>


<p>An elevation of privilege vulnerability in the kernel could enable a local
malicious application to execute arbitrary code within the kernel. This issue
is rated as Critical severity due to the possibility of a local permanent
device compromise, and the device would possibly need to be repaired by
re-flashing the operating system. This issue was described in <a href="/security/advisory/2016-03-18.html">Android Security Advisory 2016-03-18</a>.</p>

<table>
 <tr>
    <th>CVE</th>
    <th>Bug</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-1805</td>
    <td>ANDROID-27275324*</td>
    <td>Critical</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>February 19, 2016</td>
 </tr>
</table>
<p>* The patch in AOSP is available for specific kernel versions:
<a href="https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f">3.14</a>,
<a href="https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb">3.10</a>, and
<a href="https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5">3.4</a>.</p>


<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_performance_module>Elevation of Privilege Vulnerability in Qualcomm Performance Module</h3>


<p>An elevation of privilege vulnerability in the performance event manager
component for ARM processors from Qualcomm could enable a local malicious
application to execute arbitrary code within the kernel. This issue is rated as
Critical severity due to the possibility of a local permanent device compromise,
and the device would possibly need to be repaired by re-flashing the operating
system.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0843</td>
    <td>ANDROID-25801197*</td>
    <td>Critical</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Nov 19, 2015</td>
 </tr>
</table>

<p>* The patch for this issue is not in AOSP. The update is contained in the
latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id=elevation_of_privilege_in_qualcomm_rf_component>Elevation of Privilege Vulnerability in Qualcomm RF component</h3>


<p>There is a vulnerability in the Qualcomm RF driver that could enable a local
malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical severity due to the possibility of a
local permanent device compromise, and the device would possibly need to be
repaired by re-flashing the operating system.</p>

<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0844</td>
    <td><a href="https://android.googlesource.com/platform/external/sepolicy/+/57531cacb40682be4b1189c721fd1e7f25bf3786">
        ANDROID-26324307</a>*</td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 25, 2015</td>
 </tr>
</table>
<p>* An additional patch for this issue is located in
<a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/?id=90a9da2ea95e86b4f0ff493cd891a11da0ee67aa">
Linux upstream</a>.</p>

<h3 id=elevation_of_privilege_vulnerability_in_kernel12>Elevation of Privilege Vulnerability in Kernel</h3>


<p>An elevation of privilege vulnerability in the common kernel could enable a
local malicious application to execute arbitrary code in the kernel. This issue
is rated as Critical severity due to the possibility of a local permanent
device compromise and the device would possibly need to be repaired by
re-flashing the operating system.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP links</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2014-9322</td>
    <td><a href="https://android.googlesource.com/kernel/common/+/c22e479e335628ce8766cfbf06e2ba17e8f9a1bb">ANDROID-26927260</a>
    [<a href="https://android.googlesource.com/kernel/common/+/1b627d4e5e61e89b840f77abb3ca6711ad6ffbeb">2</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/4c941665c7368a34b146929b31949555e680a4ee">3</a>]<br />
    [<a href="https://android.googlesource.com/kernel/common/+/758f0dac9104b46016af98304656a0268ac3e105">4</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/44d057a37868a60bc2eb6e7d1dcea701f234d56a">5</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/b9b9f908c8ae82b73b9d75181982028b6bc06c2b">6</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/e068734f9e7344997a61022629b92d142a985ab3">7</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/fdc6c1052bc7d89a5826904fbb4318677e8442ce">8</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/211d59c0034ec9d88690c750ccd6da27f6952dc5">9</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/c9e31d5a4747e9967ace6d05896c78516c4c0850">10</a>]
    [<a href="https://android.googlesource.com/kernel/common/+/e01834bfbafd25fd392bf10014451c4e5f34f829">11</a>]</td>
    <td>Critical</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 25, 2015</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_in_imemory_native_interface>
Elevation of Privilege Vulnerability in IMemory Native Interface</h3>


<p>An elevation of privilege vulnerability in the IMemory Native Interface could
enable a local malicious application to execute arbitrary code within the
context of an elevated system application. This issue is rated as High severity
because it could be used to gain elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0846</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/native/+/f3199c228aced7858b75a8070b8358c155ae0149">
        ANDROID-26877992</a></td>
    <td>High</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 29, 2016</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_telecom_component>
Elevation of Privilege Vulnerability in Telecom Component</h3>


<p>An elevation of privilege vulnerability in the Telecom Component could enable
an attacker to make calls appear to come from any arbitrary number. This issue
is rated as High severity because it could be used to gain local access to
elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP links</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0847</td>
    <td><a href="https://android.googlesource.com/platform/packages/services/Telecomm/+/2750faaa1ec819eed9acffea7bd3daf867fda444">
        ANDROID-26864502</a>
        [<a href="https://android.googlesource.com/platform/packages/services/Telephony/+/a294ae5342410431a568126183efe86261668b5d">2</a>]
    </td>
    <td>High</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_download_manager>
Elevation of Privilege Vulnerability in Download Manager</h3>


<p>An elevation of privilege vulnerability in the Download Manager could enable an
attacker to gain access to unauthorized files in private storage. This issue is
rated as High severity because it could be used to gain local access to
elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>

<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0848</td>
    <td><a href="https://android.googlesource.com/platform/packages/providers/DownloadProvider/+/bdc831357e7a116bc561d51bf2ddc85ff11c01a9">
        ANDROID-26211054</a></td>
    <td>High</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Dec 14, 2015</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_in_recovery_procedure>
Elevation of Privilege Vulnerability in Recovery Procedure</h3>


<p>An elevation of privilege vulnerability in the Recovery Procedure could enable
a local malicious application to execute arbitrary code within the context of
an elevated system application. This issue is rated as High severity because it
could be used to gain elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0849</td>
    <td><a href="https://android.googlesource.com/platform/bootable/recovery/+/28a566f7731b4cb76d2a9ba16d997ac5aeb07dad">
        ANDROID-26960931</a></td>
    <td>High</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Feb 3, 2016</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_in_bluetooth>
Elevation of Privilege Vulnerability in Bluetooth</h3>


<p>An elevation of privilege vulnerability in Bluetooth could enable an untrusted
device to pair with the phone during the initial pairing process. This could
lead to unauthorized access of the device resources, such as the Internet
connection. This issue is rated as High severity because it could be used to
gain elevated capabilities that are not accessible to untrusted devices.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-0850</td>
    <td><a href="https://android.googlesource.com/platform/external/bluetooth/bluedroid/+/c677ee92595335233eb0e7b59809a1a94e7a678a">
        ANDROID-26551752</a></td>
    <td>High</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 13, 2016</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_in_texas_instruments_haptic_driver>
Elevation of Privilege Vulnerability in Texas Instruments Haptic Driver</h3>


<p>There is an elevation of privilege vulnerability in a Texas Instruments haptic
kernel driver that could enable a local malicious application to execute
arbitrary code within the context of the kernel. Normally a kernel code
execution bug like this would be rated Critical, but because it first requires
compromising a service that can call the driver, it is rated as High severity
instead.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2409</td>
    <td>ANDROID-25981545*</td>
    <td>High</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 25, 2015</td>
 </tr>
</table>
<p>* The patch for this issue is not in AOSP. The update is contained in the
latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_video_kernel_driver>
Elevation of Privilege Vulnerability in Qualcomm Video Kernel Driver</h3>


<p>There is an elevation of privilege vulnerability in a Qualcomm video kernel
driver that could enable a local malicious application to execute arbitrary
code within the context of the kernel. Normally a kernel code execution
vulnerability would be rated Critical, but because it requires first
compromising a service that can call the driver, it is rated as High severity
instead.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2410</td>
    <td>ANDROID-26291677*</td>
    <td>High</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 21, 2015</td>
 </tr>
</table>
<p>* The patch for this issue is not in AOSP. The update is contained in the
latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_power_management_component>
Elevation of Privilege Vulnerability in Qualcomm Power Management component</h3>


<p>There is an elevation of privilege vulnerability in a Qualcomm Power Management
kernel driver that could enable a local malicious application to execute
arbitrary code within the context of the kernel. Normally a kernel code
execution bug like this would be rated Critical, but because it requires first
compromising the device and elevation to root, it is rated as High severity
instead.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2411</td>
    <td>ANDROID-26866053*</td>
    <td>High</td>
    <td>6.0, 6.0.1</td>
    <td>Jan 28, 2016</td>
 </tr>
</table>
<p>* The patch for this issue is not in AOSP. The update is contained in the
latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id=elevation_of_privilege_vulnerability_in_system_server>
Elevation of Privilege Vulnerability in System_server</h3>


<p>An elevation of privilege vulnerability in System_server could enable a local
malicious application to execute arbitrary code within the context of an
elevated system application. This issue is rated as High severity because it
could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2412</td>
    <td><a href="https://android.googlesource.com/platform/external/skia/+/b36c23b3e6b0b316075cc43e466d44c62508fcac">
        ANDROID-26593930</a></td>
    <td>High</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 15, 2016</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_mediaserver>
Elevation of Privilege Vulnerability in Mediaserver</h3>


<p>An elevation of privilege vulnerability in mediaserver could enable a local
malicious application to execute arbitrary code within the context of an
elevated system application. This issue is rated as High severity because it
could be used to gain elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2413</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/25be9ac20db51044e1b09ca67906355e4f328d48">
        ANDROID-26403627</a></td>
    <td>High</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 5, 2016</td>
 </tr>
</table>


<h3 id=denial_of_service_vulnerability_in_minikin>Denial of Service Vulnerability in Minikin</h3>


<p>A denial of service vulnerability in the Minikin library could allow a local
attacker to temporarily block access to an affected device. An attacker could
cause an untrusted font to be loaded and cause an overflow in the Minikin
component, which leads to a crash. This is rated as High severity because
Denial of Service would lead to a continuous reboot loop.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP links</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2414</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/minikin/+/ca8ac8acdad662230ae37998c6c4091bb39402b6">
        ANDROID-26413177</a>
        [<a href="https://android.googlesource.com/platform/frameworks/minikin/+/f4785aa1947b8d22d5b19559ef1ca526d98e0e73">2</a>]
    </td>
    <td>High</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Nov 3, 2015</td>
 </tr>
</table>


<h3 id=information_disclosure_vulnerability_in_exchange_activesync>
Information Disclosure Vulnerability in Exchange ActiveSync</h3>


<p>An information disclosure vulnerability in Exchange ActiveSync could enable a
local malicious application to gain access to a users private information.
This issue is rated as High severity because it allows remote access to
protected data.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2415</td>
    <td><a href="https://android.googlesource.com/platform/packages/apps/Exchange/+/0d1a38b1755efe7ed4e8d7302a24186616bba9b2">
        ANDROID-26488455</a></td>
    <td>High</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 11, 2016</td>
 </tr>
</table>


<h3 id=information_disclosure_vulnerability_in_mediaserver>Information Disclosure Vulnerability in Mediaserver</h3>


<p>An information disclosure vulnerability in Mediaserver could permit a bypass of
security measures in place to increase the difficulty of attackers exploiting
the platform. These issues are rated as High severity because they could also
be used to gain elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to third-party applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bugs with AOSP links</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2416</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/native/+/85d253fab5e2c01bd90990667c6de25c282fc5cd">
        ANDROID-27046057</a>
        [<a href="https://android.googlesource.com/platform/frameworks/native/+/a40b30f5c43726120bfe69d41ff5aeb31fe1d02a">2</a>]
    </td>
    <td>High</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Feb 5, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2417</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/1171e7c047bf79e7c93342bb6a812c9edd86aa84">
        ANDROID-26914474</a></td>
    <td>High</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Feb 1, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2418</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/8d87321b704cb3f88e8cae668937d001fd63d5e3">
        ANDROID-26324358</a></td>
    <td>High</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 24, 2015</td>
 </tr>
 <tr>
    <td>CVE-2016-2419</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5a856f2092f7086aa0fea9ae06b9255befcdcd34">
        ANDROID-26323455</a></td>
    <td>High</td>
    <td>6.0, 6.0.1</td>
    <td>Dec 24, 2015</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_debuggerd_component>
Elevation of Privilege Vulnerability in Debuggerd Component</h3>


<p>An elevation of privilege vulnerability in the Debuggerd component could enable
a local malicious application to execute arbitrary code that could lead to a
permanent device compromise. As a result, the device would possibly need to be
repaired by re-flashing the operating system. Normally a code execution bug
like this would be rated as Critical, but because it enables an elevation of
privilege from system to root only in Android version 4.4.4, it is rated as
Moderate instead. In Android versions 5.0 and above, SELinux rules prevent
third-party applications from reaching the affected code.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP links</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2420</td>
    <td><a href="https://android.googlesource.com/platform/system/core/+/669ecc2f5e80ff924fa20ce7445354a7c5bcfd98">
        ANDROID-26403620</a>
        [<a href="https://android.googlesource.com/platform/system/core/+/81df1cc77722000f8d0025c1ab00ced123aa573c">2</a>]
    </td>
    <td>Moderate</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 5, 2016</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>
Elevation of Privilege Vulnerability in Setup Wizard</h3>


<p>A vulnerability in the Setup Wizard could allow an attacker to bypass the
Factory Reset Protection and gain access to the device. This is rated as
Moderate severity because it potentially allows someone with physical access to
a device to bypass the Factory Reset Protection, which would enable an attacker
to successfully reset a device, erasing all data.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2421</td>
    <td>ANDROID-26154410*</td>
    <td>Moderate</td>
    <td>5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
</table>

<p>* The patch for this issue is not in AOSP. The update is contained in the
latest binary release for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id=elevation_of_privilege_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3>


<p>An elevation of privilege vulnerability in Wi-Fi could enable a local malicious
application to execute arbitrary code within the context of an elevated system
application. This issue is rated as Moderate severity because it could be used
to gain elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2422</td>
    <td><a href="https://android.googlesource.com/platform/packages/apps/CertInstaller/+/70dde9870e9450e10418a32206ac1bb30f036b2c">
        ANDROID-26324357</a></td>
    <td>Moderate</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Dec 23, 2015</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_in_telephony>Elevation of Privilege Vulnerability in Telephony</h3>


<p>A vulnerability in Telephony could allow an attacker to bypass the Factory
Reset Protection and gain access to the device. This is rated as Moderate
severity because it potentially allows someone with physical access to a device
to bypass the Factory Reset Protection, which would enable an attacker to
successfully reset a device, erasing all data.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2423</td>
    <td><a href="https://android.googlesource.com/platform/packages/services/Telecomm/+/a06c9a4aef69ae27b951523cf72bf72412bf48fa">
        ANDROID-26303187</a></td>
    <td>Moderate</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
</table>


<h3 id=denial_of_service_in_syncstorageengine>Denial of Service Vulnerability in SyncStorageEngine</h3>


<p>A denial of service vulnerability in SyncStorageEngine could enable a local
malicious application to cause a reboot loop. This issue is rated as Moderate
severity because it could be used to cause a local temporary denial of service
that would possibly need to be fixed though a factory reset.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2424</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/d3383d5bfab296ba3adbc121ff8a7b542bde4afb">
        ANDROID-26513719</a></td>
    <td>Moderate</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
</table>


<h3 id=information_disclosure_vulnerability_in_aosp_mail>Information Disclosure Vulnerability in AOSP Mail</h3>


<p>An information disclosure vulnerability in AOSP Mail could enable a local
malicious application to gain access to a users private information. This
issue is rated as Moderate severity because it could be used to improperly gain
dangerous permissions.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bugs with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2425</td>
    <td><a href="https://android.googlesource.com/platform/packages/apps/UnifiedEmail/+/0d9dfd649bae9c181e3afc5d571903f1eb5dc46f">
        ANDROID-26989185</a></td>
    <td>Moderate</td>
    <td>4.4.4, 5.1.1, 6.0, 6.0.1</td>
    <td>Jan 29, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2425</td>
    <td>ANDROID-7154234*</td>
    <td>Moderate</td>
    <td>5.0.2</td>
    <td>Jan 29, 2016</td>
 </tr>
</table>

<p>* The patch for this issue is not in AOSP. The update is contained in the
latest binary release for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id=information_disclosure_vulnerability_in_framework>Information Disclosure Vulnerability in Framework</h3>


<p>An information disclosure vulnerability in the Framework component could allow
an application to access sensitive information. This issue is rated Moderate
severity because it could be used to improperly access to data without
permission.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug with AOSP link</th>
    <th>Severity</th>
    <th>Updated versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2426</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/63363af721650e426db5b0bdfb8b2d4fe36abdb0">
        ANDROID-26094635</a></td>
    <td>Moderate</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Dec 8, 2015</td>
 </tr>
</table>

<h2 id=common_questions_and_answers>Common Questions and Answers</h2>


<p>This section reviews answers to common questions that may occur after reading
this bulletin.</p>

<p><strong>1. How do I determine if my device is updated to address these issues? </strong></p>

<p>Security Patch Levels of April 2, 2016 or later address these issues (refer to the
<a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a>
for instructions on how to check the security patch level). Device
manufacturers that include these updates should set the patch string level to:
[ro.build.version.security_patch]:[2016-04-02]</p>

<p><strong>2. Why is this Security Patch Level April 2, 2016?</strong></p>

<p>The Security Patch Level for the monthly security update is normally set to the
first of the month. For April, a Security Patch Level of April 1, 2016
indicates that all issues described in this bulletin with the exception of CVE-2015-1805, as described in
<a href="/security/advisory/2016-03-18.html">Android Security Advisory 2016-03-18</a>
have been addressed. A Security Patch Level of April 2, 2016 indicates that
all issues described in this bulletin including CVE-2015-1805, as described in
<a href="/security/advisory/2016-03-18.html">Android Security Advisory 2016-03-18</a>
have been addressed.</p>

<h2 id=revisions>Revisions</h2>


<ul>
  <li> April 04, 2016: Bulletin published.
  <li> April 06, 2016: Bulletin revised to include AOSP links.
  <li> April 07, 2016: Bulletin revised to include an additional AOSP link.
  <li> July 11, 2016: Updated description of CVE-2016-2427.
  <li> August 01, 2016: Updated description of CVE-2016-2427
  <li> December 19, 2016: Updated to remove CVE-2016-2427, which was reverted.
</ul>

  </body>
</html>