xref: /docs/source.android.com/en/security/bulletin/2016-06-01.html

<html devsite>
  <head>
    <title>Android Security BulletinJune 2016</title>
    <meta name="project_path" value="/_project.yaml" />
    <meta name="book_path" value="/_book.yaml" />
  </head>
  <body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->



<p><em>Published June 06, 2016 | Updated June 08, 2016</em></p>

<p>The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Alongside the bulletin, we have released a security
update to Nexus devices through an over-the-air (OTA) update. The Nexus
firmware images have also been released to the
<a href="https://developers.google.com/android/nexus/images">Google Developer site</a>.
Security Patch Levels of June 01, 2016 or later address these issues. Refer
to the <a href="https://support.google.com/nexus/answer/4457705#nexus_devices">
Nexus documentation</a> to learn how to check the security patch level.</p>

<p>Partners were notified about the issues described in the bulletin on May 02,
2016 or earlier. Where applicable, source code patches for these issues have
been released to the Android Open Source Project (AOSP) repository.</p>

<p>The most severe issue is a Critical security vulnerability that could enable
remote code execution on an affected device through multiple methods such as
email, web browsing, and MMS when processing media files. The
<a href="/security/overview/updates-resources.html#severity">severity
assessment</a> is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are disabled for development purposes or if successfully bypassed.</p>

<p>We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the <a href="#mitigations">
Android and Google Service Mitigations</a> section for details on the
<a href="/security/enhancements/index.html">
Android security platform protections</a> and service protections such as
SafetyNet, which improve the security of the Android platform.</p>

<p>We encourage all customers to accept these updates to their devices.</p>

<h2 id=mitigations>Android and Google Service Mitigations</h2>


<p>This is a summary of the mitigations provided by the
<a href="/security/enhancements/index.html">
Android security platform</a> and service protections, such as SafetyNet.
These capabilities reduce the likelihood that security vulnerabilities could
be successfully exploited on Android.</p>

<ul>
  <li> Exploitation for many issues on Android is made more difficult by enhancements
       in newer versions of the Android platform. We encourage all users to update to
       the latest version of Android where possible.
  <li> The Android Security team actively monitors for abuse with
       <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">
       Verify Apps and SafetyNet</a>, which are designed to warn users about
       <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">
       Potentially Harmful Applications</a>. Verify Apps is enabled by default
       on devices with <a href="http://www.android.com/gms">Google Mobile Services</a>,
       and is especially important for users who install applications from outside
       of Google Play. Device rooting tools are prohibited within Google Play, but
       Verify Apps warns users when they attempt to install a detected rooting
       applicationno matter where it comes from. Additionally, Verify Apps attempts
       to identify and block installation of known malicious applications that exploit
       a privilege escalation vulnerability. If such an application has already been
       installed, Verify Apps will notify the user and attempt to remove the detected
       application.
  <li> As appropriate, Google Hangouts and Messenger applications do not automatically
       pass media to processes such as Mediaserver.
</ul>

<h2 id=acknowledgements>Acknowledgements</h2>


<p>We would like to thank these researchers for their contributions:</p>

<ul>
  <li> Di Shen (<a href="https://twitter.com/returnsme">&#64;returnsme</a>) of KeenLab
   (<a href="https://twitter.com/keen_lab">&#64;keen_lab</a>), Tencent: CVE-2016-2468
  <li> <a href="http://bits-please.blogspot.com">Gal Beniamini</a>
   (<a href="https://twitter.com/laginimaineb">&#64;laginimaineb</a>): CVE-2016-2476
  <li> Gengjia Chen (<a href="https://twitter.com/chengjia4574">&#64;chengjia4574</a>), pjf
   (<a href="http://weibo.com/jfpan">weibo.com/jfpan</a>) of IceSword Lab, Qihoo 360
   Technology Co. Ltd.: CVE-2016-2492
  <li> Hao Chen, Guang Gong, and Wenlin Yang of Mobile Safe Team, Qihoo 360 Technology
    Co. Ltd.: CVE-2016-2470, CVE-2016-2471, CVE-2016-2472, CVE-2016-2473,
    CVE-2016-2498
  <li> <a href="http://www.iwobanas.com">Iwo Banas</a>: CVE-2016-2496
  <li> Jianqiang Zhao(<a href="https://twitter.com/jianqiangzhao">&#64;jianqiangzhao</a>)
    and pjf (<a href="http://weibo.com/jfpan">weibo.com/jfpan</a>) of IceSword Lab,
    Qihoo 360 Technology Co. Ltd.: CVE-2016-2490, CVE-2016-2491
  <li> Lee Campbell of Google: CVE-2016-2500
  <li> Maciej Szawowski of the Google Security Team: CVE-2016-2474
  <li> Marco Nelissen and Max Spector of Google: CVE-2016-2487
  <li> Mark Brand of Google Project Zero: CVE-2016-2494
  <li> Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">&#64;Mingjian_Zhou</a>),
   Chiachih Wu (<a href="https://twitter.com/chiachih_wu">&#64;chiachih_wu</a>), and Xuxian
   Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-2477, CVE-2016-2478,
   CVE-2016-2479, CVE-2016-2480, CVE-2016-2481, CVE-2016-2482, CVE-2016-2483, CVE-2016-2484,
   CVE-2016-2485, CVE-2016-2486
  <li> <a href="mailto:sbauer (a] plzdonthack.me">Scott Bauer</a> (<a href="https://twitter.com/ScottyBauer1">&#64;ScottyBauer1</a>):
       CVE-2016-2066, CVE-2016-2061, CVE-2016-2465, CVE-2016-2469, CVE-2016-2489
  <li> Vasily Vasilev: CVE-2016-2463
  <li> Weichao Sun (<a href="https://twitter.com/sunblate">&#64;sunblate</a>) of Alibaba Inc.: CVE-2016-2495
  <li> Xiling Gong of Tencent Security Platform Department: CVE-2016-2499
  <li> Zach Riggle (<a href="https://twitter.com/ebeip90">&#64;ebeip90</a>) of the Android Security Team: CVE-2016-2493
</ul>

<h2 id=security_vulnerability_details>Security Vulnerability Details</h2>


<p>In the sections below, we provide details for each of the security
vulnerabilitiesi that apply to the 2016-06-01 patch level. There is a description of the issue,
a severity rationale, and a table with the CVE, associated Android bug, severity,
updated Nexus devices, updated AOSP versions (where applicable), and date reported.
When available, we will link the AOSP change that addressed the issue to the bug ID.
When multiple changes relate to a single bug, additional AOSP references are linked to
numbers following the bug ID.</p>

<h3 id=remote_code_execution_vulnerability_in_mediaserver>
Remote Code Execution Vulnerability in Mediaserver</h3>


<p>A remote code execution vulnerability in Mediaserver could enable an attacker
using a specially crafted file to cause memory corruption during media file and
data processing. This issue is rated as Critical due to the possibility of
remote code execution within the context of the Mediaserver process. The
Mediaserver process has access to audio and video streams, as well as access to
privileges that third-party apps could not normally access.</p>

<p>The affected functionality is provided as a core part of the operating system,
and there are multiple applications that allow it to be reached with remote
content, most notably MMS and browser playback of media.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2463</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/2b6f22dc64d456471a1dc6df09d515771d1427c8">27855419</a></td>
    <td>Critical</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 25, 2016</td>
 </tr>
</table>


<h3 id=remote_code_execution_vulnerabilities_in_libwebm>
Remote Code Execution Vulnerabilities in libwebm</h3>


<p>Remote code execution vulnerabilities with libwebm could enable an attacker
using a specially crafted file to cause memory corruption during media file and
data processing. This issue is rated as Critical due to the possibility of
remote code execution within the context of the Mediaserver process. The
Mediaserver process has access to audio and video streams, as well as access to
privileges that third-party apps could not normally access.</p>

<p>The affected functionality is provided as a core part of the operating system,
and there are multiple applications that allow it to be reached with remote
content, most notably MMS and browser playback of media.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2464</td>
    <td><a href="https://android.googlesource.com/platform/external/libvpx/+/cc274e2abe8b2a6698a5c47d8aa4bb45f1f9538d">23167726</a>
       [<a href="https://android.googlesource.com/platform/external/libvpx/+/65c49d5b382de4085ee5668732bcb0f6ecaf7148">2</a>]
    </td>
    <td>Critical</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_video_driver>
Elevation of Privilege Vulnerability in Qualcomm Video Driver</h3>


<p>An elevation of privilege vulnerability in the Qualcomm video driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility
of a local permanent device compromise, which may require reflashing the
operating system to repair the device.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2465</td>
    <td>27407865*</td>
    <td>Critical</td>
    <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td>
    <td>Feb 21, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_sound_driver>
Elevation of Privilege Vulnerability in Qualcomm Sound Driver</h3>

<p>An elevation of privilege vulnerability in the Qualcomm sound driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility
of a local permanent device compromise, which may require reflashing the
operating system to repair the device.</p>

<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2466</td>
    <td>27947307*</td>
    <td>Critical</td>
    <td>Nexus 6</td>
    <td>Feb 27, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2467</td>
    <td>28029010*</td>
    <td>Critical</td>
    <td>Nexus 5</td>
    <td>Mar 13, 2014</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_gpu_driver>
Elevation of Privilege Vulnerability in Qualcomm GPU Driver</h3>


<p>An elevation of privilege vulnerability in the Qualcomm GPU driver could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.</p>

<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2468</td>
    <td>27475454*</td>
    <td>Critical</td>
    <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7</td>
    <td>Mar 2, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2062</td>
    <td>27364029*</td>
    <td>Critical</td>
    <td>Nexus 5X, Nexus 6P</td>
    <td>Mar 6, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wi-fi_driver>
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3>


<p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility
of a local permanent device compromise, which may require reflashing the
operating system to repair the device.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2474</td>
    <td>27424603*</td>
    <td>Critical</td>
    <td>Nexus 5X</td>
    <td>Google Internal</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_broadcom_wi-fi_driver>
Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver</h3>


<p>An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could
enable a local malicious application to invoke system calls changing the device
settings and behavior without the privileges to do so. This issue is rated as
High because it could be used to gain local access to elevated capabilities.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2475</td>
    <td>26425765*</td>
    <td>High</td>
    <td>Nexus 5, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, Pixel C</td>
    <td>Jan 6, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_sound_driver>
Elevation of Privilege Vulnerability in Qualcomm Sound Driver</h3>


<p>An elevation of privilege vulnerability in the Qualcomm sound driver could
enable a malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as High because it first requires compromising
a service that can call the driver.</p>

<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2066</td>
    <td>26876409*</td>
    <td>High</td>
    <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td>
    <td>Jan 29, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2469</td>
    <td>27531992*</td>
    <td>High</td>
    <td>Nexus 5, Nexus 6, Nexus 6P</td>
    <td>Mar 4, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_mediaserver>
Elevation of Privilege Vulnerability in Mediaserver</h3>


<p>An elevation of privilege vulnerability in Mediaserver could enable a local
malicious application to execute arbitrary code within the context of an
elevated system application. This issue is rated as High because it could be
used to gain local access to elevated capabilities, such as
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or
<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>

<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2476</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/295c883fe3105b19bcd0f9e07d54c6b589fc5bff">27207275</a>
       [<a href="https://android.googlesource.com/platform/frameworks/av/+/94d9e646454f6246bf823b6897bd6aea5f08eda3">2</a>]
       [<a href="https://android.googlesource.com/platform/frameworks/av/+/0bb5ced60304da7f61478ffd359e7ba65d72f181">3</a>]
       [<a href="https://android.googlesource.com/platform/frameworks/av/+/db829699d3293f254a7387894303451a91278986">4</a>]
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Feb 11, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2477</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/f22c2a0f0f9e030c240468d9d18b9297f001bcf0">27251096</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Feb 17, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2478</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/f22c2a0f0f9e030c240468d9d18b9297f001bcf0">27475409</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 3, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2479</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/46e305be6e670a5a0041b0b4861122a0f1aabefa">27532282</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 6, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2480</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/560ccdb509a7b86186fac0fce1b25bd9a3e6a6e8">27532721</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 6, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2481</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/89913d7df36dbeb458ce165856bd6505a2ec647d">27532497</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 6, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2482</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/46e305be6e670a5a0041b0b4861122a0f1aabefa">27661749</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 14, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2483</td>
    <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/89913d7df36dbeb458ce165856bd6505a2ec647d">27662502</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 14, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2484</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/7cea5cb64b83d690fe02bc210bbdf08f5a87636f">27793163</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 22, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2485</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/7cea5cb64b83d690fe02bc210bbdf08f5a87636f">27793367</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 22, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2486</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/ad40e57890f81a3cf436c5f06da66396010bd9e5">27793371</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 22, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2487</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/918eeaa29d99d257282fafec931b4bda0e3bae12">27833616</a>
       [<a href="https://android.googlesource.com/platform/frameworks/av/+/d2f47191538837e796e2b10c1ff7e1ee35f6e0ab">2</a>]
       [<a href="https://android.googlesource.com/platform/frameworks/av/+/4e32001e4196f39ddd0b86686ae0231c8f5ed944">3</a>]
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_camera_driver>
Elevation of Privilege Vulnerability in Qualcomm Camera Driver</h3>


<p>An elevation of privilege vulnerability in the Qualcomm camera driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a service that can call the driver.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2061</td>
    <td>27207747*</td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6P</td>
    <td>Feb 15, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2488</td>
    <td>27600832*</td>
    <td>High</td>
    <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013)</td>
    <td>Google Internal</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_video_driver_2>
Elevation of Privilege Vulnerability in Qualcomm Video Driver</h3>


<p>An elevation of privilege vulnerability in the Qualcomm video driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a service that can call the driver.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2489</td>
    <td>27407629*</td>
    <td>High</td>
    <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td>
    <td>Feb 21, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_nvidia_camera_driver>
Elevation of Privilege Vulnerability in NVIDIA Camera Driver</h3>


<p>An elevation of privilege vulnerability in the NVIDIA camera driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a service to call the driver.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2490</td>
    <td>27533373*</td>
    <td>High</td>
    <td>Nexus 9</td>
    <td>Mar 6, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2491</td>
    <td>27556408*</td>
    <td>High</td>
    <td>Nexus 9</td>
    <td>Mar 8, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wi-fi_driver_2>
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3>


<p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could
enable a malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as High because it first requires compromising
a service that can call the driver.</p>

<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2470</td>
    <td>27662174*</td>
    <td>High</td>
    <td>Nexus 7 (2013)</td>
    <td>Mar 13, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2471</td>
    <td>27773913*</td>
    <td>High</td>
    <td>Nexus 7 (2013)</td>
    <td>Mar 19, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2472</td>
    <td>27776888*</td>
    <td>High</td>
    <td>Nexus 7 (2013)</td>
    <td>Mar 20, 2016</td>
 </tr>
 <tr>
    <td>CVE-2016-2473</td>
    <td>27777501*</td>
    <td>High</td>
    <td>Nexus 7 (2013)</td>
    <td>Mar 20, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_mediatek_power_management_driver>
Elevation of Privilege Vulnerability in MediaTek Power Management Driver</h3>


<p>An elevation of privilege in the MediaTek power management driver could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as High because it first requires compromising
the device and an elevation to root to call the driver.</p>

<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2492</td>
    <td>28085410*</td>
    <td>High</td>
    <td>Android One</td>
    <td>Apr 7, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=elevation_of_privilege_vulnerability_in_sd_card_emulation_layer>
Elevation of Privilege Vulnerability in SD Card Emulation Layer</h3>


<p>An elevation of privilege vulnerability in the SD Card userspace emulation
layer could enable a local malicious application to execute arbitrary code
within the context of an elevated system application. This issue is rated as
High because it could be used to gain local access to elevated capabilities,
such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a>
or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a>
permissions privileges, which are not accessible to a third-party application.</p>

<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2494</td>
    <td><a href="https://android.googlesource.com/platform/system/core/+/864e2e22fcd0cba3f5e67680ccabd0302dfda45d">28085658</a>
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Apr 7, 2016</td>
 </tr>
</table>


<h3 id=elevation_of_privilege_vulnerability_in_broadcom_wi-fi_driver_2>
Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver</h3>


<p>An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a service to call the driver.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2493</td>
    <td>26571522*</td>
    <td>High</td>
    <td>Nexus 5, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus Player, Pixel C</td>
    <td>Google Internal</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id=remote_denial_of_service_vulnerability_in_mediaserver>
Remote Denial of Service Vulnerability in Mediaserver</h3>


<p>A remote denial of service vulnerability in Mediaserver could enable an
attacker to use a specially crafted file to cause a device hang or reboot. This
issue is rated as High due to the possibility of remote denial of service.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2495</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/45737cb776625f17384540523674761e6313e6d4">28076789</a>
       [<a href="https://android.googlesource.com/platform/frameworks/av/+/b57b3967b1a42dd505dbe4fcf1e1d810e3ae3777">2</a>]
    </td>
    <td>High</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Apr 6, 2016</td>
 </tr>
</table>

<h3 id=elevation_of_privilege_vulnerability_in_framework_ui>
Elevation of Privilege Vulnerability in Framework UI</h3>


<p>An elevation of privilege vulnerability in the Framework UI permission dialog
window could enable an attacker to gain access to unauthorized files in private
storage. This issue is rated as Moderate because it could be used to improperly
gain "<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>" permissions.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2496</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/native/+/03a53d1c7765eeb3af0bc34c3dff02ada1953fbf">26677796</a>
       [<a href="https://android.googlesource.com/platform/frameworks/base/+/613f63b938145bb86cd64fe0752eaf5e99b5f628">2</a>]
       [<a href="https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/2068c7997265011ddc5e4dfa3418407881f7f81e">3</a>]
    </td>
    <td>Moderate</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>6.0, 6.1</td>
    <td>May 26, 2015</td>
 </tr>
</table>

<h3 id=information_disclosure_vulnerability_in_qualcomm_wi-fi_driver>
Information Disclosure Vulnerability in Qualcomm Wi-Fi Driver</h3>


<p>An information disclosure in the Qualcomm Wi-Fi driver could enable a local
malicious application to access data outside of its permission levels. This
issue is rated as Moderate because it first requires compromising a service
that can call the driver.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="27%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2498</td>
    <td>27777162*</td>
    <td>Moderate</td>
    <td>Nexus 7 (2013)</td>
    <td>Mar 20, 2016</td>
 </tr>
</table>
<p>
* The patch for this issue is not in AOSP. The update is contained in the latest
binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>


<h3 id=information_disclosure_vulnerability_in_mediaserver>
Information Disclosure Vulnerability in Mediaserver</h3>


<p>An information disclosure vulnerability in Mediaserver could allow an
application to access sensitive information. This issue is rated as Moderate
because it could be used to access data without permission.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2499</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/dd3546765710ce8dd49eb23901d90345dec8282f">27855172</a>
    </td>
    <td>Moderate</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Mar 24, 2016</td>
 </tr>
</table>


<h3 id=information_disclosure_vulnerability_in_activity_manager>
Information Disclosure Vulnerability in Activity Manager</h3>


<p>An information disclosure vulnerability in the Activity Manager component could
allow an application to access sensitive information. This issue is rated
Moderate because it could be used to access data without permission.</p>
<table>
  <col width="19%">
  <col width="16%">
  <col width="10%">
  <col width="19%">
  <col width="18%">
  <col width="16%">
 <tr>
    <th>CVE</th>
    <th>Android bugs</th>
    <th>Severity</th>
    <th>Updated Nexus devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2016-2500</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/9878bb99b77c3681f0fda116e2964bac26f349c3">19285814</a>
    </td>
    <td>Moderate</td>
    <td><a href="#nexus_devices">All Nexus</a></td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>Google Internal</td>
 </tr>
</table>


<h2 id=common_questions_and_answers>Common Questions and Answers</h2>


<p>This section answers common questions that may occur after reading this
bulletin.</p>

<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p>

<p>Security Patch Levels of June 01, 2016 or later address these issues (refer to
the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a>
for instructions on how to check the security patch level). Device
manufacturers that include these updates should set the patch string level to:
[ro.build.version.security_patch]:[2016-06-01]</p>

<p id="nexus_devices"><strong>2. How do I determine which Nexus devices are affected by each issue?</strong></p>

<p>In the <a href="#security_vulnerability_summary">Security Vulnerability Details</a> section,
each table has an Updated Nexus devices column that covers the range
of affected Nexus devices updated for each issue. This column has a few
options:</p>

<ul>
  <li> <strong>All Nexus devices</strong>: If an issue affects all Nexus devices, the table
       will have All Nexus in the <em>Updated Nexus devices</em> column. All Nexus
       encapsulates the following <a href="https://support.google.com/nexus/answer/4457705#nexus_devices">
       supported devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013),
       Nexus 9, Android One, Nexus Player, and Pixel C.</li>
  <li> <strong>Some Nexus devices</strong>: If an issue doesnt affect all Nexus devices,
       the affected Nexus devices are listed in the <em>Updated Nexus devices</em> column.</li>
  <li> <strong>No Nexus devices</strong>: If no Nexus devices are affected by the issue,
       the table will have None in the <em>Updated Nexus devices</em> column.</li>
</ul>

<h2 id=revisions>Revisions</h2>


<ul>
  <li> June 06, 2016: Bulletin published.</li>
  <li>June 07, 2016:
    <ul>
      <li>Bulletin revised to include AOSP links.
      <li>CVE-2016-2496 removed from bulletin.
    </ul>
  </li>
  <li>June 08, 2016: CVE-2016-2496 added back to bulletin.</li>
</ul>

  </body>
</html>