1 <html devsite> 2 <head> 3 <title>Android Security BulletinJuly 2016</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published July 06, 2016 | Updated July 14, 2016</em></p> 27 <p>The Android Security Bulletin contains details of security vulnerabilities 28 affecting Android devices. Alongside the bulletin, we have released a security 29 update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware 30 images have also been released to the <a 31 href="https://developers.google.com/android/nexus/images">Google Developer 32 site</a>. Security patch levels of July 05, 2016 or later address all applicable 33 issues in this bulletin. Refer to the <a 34 href="https://support.google.com/nexus/answer/4457705#nexus_devices">documentation</a> 35 to learn how to check the security patch level.</p> 36 <p> 37 Partners were notified about the issues described in the bulletin on June 06, 38 2016 or earlier. Where applicable, source code patches for these issues have 39 been released to the Android Open Source Project (AOSP) repository. 40 This bulletin also includes links to patches outside of AOSP.</p> 41 42 <p>The most severe of these issues is a Critical security vulnerability that could 43 enable remote code execution on an affected device through multiple methods such 44 as email, web browsing, and MMS when processing media files. The 45 <a href="/security/overview/updates-resources.html#severity">severity 46 assessment</a> is based on the effect that exploiting the vulnerability would 47 possibly have on an affected device, assuming the platform and service 48 mitigations are disabled for development purposes or if successfully bypassed.</p> 49 <p>We have had no reports of active customer exploitation or abuse of these newly 50 reported issues. Refer to the <a href="#mitigations">Android and Google service mitigations</a> 51 section for details on the 52 <a href="/security/enhancements/index.html">Android 53 security platform protections</a> and service protections such as SafetyNet, 54 which improve the security of the Android platform.</p> 55 <p>We encourage all customers to accept these updates to their devices.</p> 56 <h2 id="announcements">Announcements</h2> 57 <ul> 58 <li>This bulletin defines two security patch level strings to provide Android 59 partners with the flexibility to move more quickly to fix a subset of 60 vulnerabilities that are similar across all Android devices. See 61 <a href="#common-questions-and-answers">Common questions and answers</a> 62 for additional information: 63 <ul> 64 <li><strong>2016-07-01</strong>: Partial security patch level string. This 65 security patch level string indicates that all issues associated with 66 2016-07-01 are addressed. 67 <li><strong>2016-07-05</strong>: Complete security patch level string. This 68 security patch level string indicates that all issues associated with 69 2016-07-01 and 2016-07-05 are addressed.</li> 70 </ul> 71 </li> 72 <li>Supported Nexus devices will be receiving a single OTA update with the 73 July 05, 2016 security patch level.</li> 74 </ul> 75 76 <h2 id="mitigations">Android and Google service mitigations</h2> 77 <p>This is a summary of the mitigations provided by the <a 78 href="/security/enhancements/index.html">Android 79 security platform</a> and service protections such as SafetyNet. These 80 capabilities reduce the likelihood that security vulnerabilities could be 81 successfully exploited on Android.</p> 82 <ul> 83 <li>Exploitation for many issues on Android is made more difficult by 84 enhancements in newer versions of the Android platform. We encourage all users 85 to update to the latest version of Android where possible.</li> 86 <li>The Android Security team actively monitors for abuse with 87 <a href="/security/reports/Google_Android_Security_2015_Report_Final.pdf"> 88 Verify Apps and SafetyNet</a>, which are designed to warn users about 89 <a href="/security/reports/Google_Android_Security_PHA_classifications.pdf"> 90 Potentially Harmful Applications</a>. Verify Apps is enabled by default on devices with 91 <a href="http://www.android.com/gms">Google Mobile Services</a>, and is especially 92 important for users who install applications from outside of Google Play. Device 93 rooting tools are prohibited within Google Play, but Verify Apps warns users 94 when they attempt to install a detected rooting applicationno matter where it 95 comes from. Additionally, Verify Apps attempts to identify and block 96 installation of known malicious applications that exploit a privilege escalation 97 vulnerability. If such an application has already been installed, Verify Apps 98 will notify the user and attempt to remove the detected application.</li> 99 <li>As appropriate, Google Hangouts and Messenger applications do not 100 automatically pass media to processes such as Mediaserver.</li> 101 </ul> 102 103 <h2 id="acknowledgements">Acknowledgements</h2> 104 <p>We would like to thank these researchers for their contributions:</p> 105 <ul> 106 <li>Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 107 Team: CVE-2016-3756, CVE-2016-3741, CVE-2016-3743, CVE-2016-3742 108 <li>Adam Donenfeld et al. of Check Point Software Technologies Ltd.: CVE-2016-2503 109 <li>Adam Powell of Google: CVE-2016-3752 110 <li>Alex Chapman and Paul Stone of Context Information Security: CVE-2016-3763 111 <li>Andy Tyler (<a href="https://twitter.com/ticarpi">@ticarpi</a>) of 112 <a href="https://www.e2e-assure.com/">e2e-assure</a>: CVE-2016-2457 113 <li>Ben Hawkes of Google Project Zero: CVE-2016-3775 114 <li>Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), 115 Yuan-Tsung Lo (<a href="mailto:computernik (a] gmail.com">computernik (a] gmail.com</a>), 116 and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3770, 117 CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, CVE-2016-3774 118 <li>Christopher Tate of Google: CVE-2016-3759 119 <li>Di Shen (<a href="https://twitter.com/returnsme">@returnsme</a>) of KeenLab 120 (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-3762 121 <li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>), 122 pjf (<a href="http://weibo.com/jfpan">weibo.com/jfpan</a>) of IceSword Lab, 123 <a href="http://www.360.com">Qihoo 360 Technology Co. Ltd.</a>: CVE-2016-3806, 124 CVE-2016-3816, CVE-2016-3805, CVE-2016-3804, CVE-2016-3767, CVE-2016-3810, 125 CVE-2016-3795, CVE-2016-3796 126 <li>Greg Kaiser of Google Android Team: CVE-2016-3758 127 <li>Guang Gong () (<a href="https://twitter.com/oldfresher">@oldfresher</a>) 128 of Mobile Safe Team, <a href="http://www.360.com">Qihoo 360 Technology Co. 129 Ltd</a>.: CVE-2016-3764 130 <li>Hao Chen and Guang Gong of Alpha Team, <a href="http://www.360.com"> 131 Qihoo 360 Technology Co. Ltd</a>.: CVE-2016-3792, CVE-2016-3768 132 <li>Hao Qin of Security Research Lab, <a href="http://www.cmcm.com">Cheetah 133 Mobile</a>: CVE-2016-3754, CVE-2016-3766 134 <li>Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) 135 and pjf (<a href="http://weibo.com/jfpan">weibo.com/jfpan</a>) of IceSword Lab, 136 <a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>: CVE-2016-3814, 137 CVE-2016-3802, CVE-2016-3769, CVE-2016-3807, CVE-2016-3808 138 <li>Marco Nelissen of Google: CVE-2016-3818 139 <li>Mark Brand of Google Project Zero: CVE-2016-3757 140 <li><a href="https://github.com/michalbednarski">Micha Bednarski</a>: CVE-2016-3750 141 <li>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), 142 Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and 143 Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3747, 144 CVE-2016-3746, CVE-2016-3765 145 <li>Peng Xiao, Chengming Yang, Ning You, Chao Yang, and Yang Ssong of Alibaba 146 Mobile Security Group: CVE-2016-3800, CVE-2016-3799, CVE-2016-3801, 147 CVE-2016-3812, CVE-2016-3798 148 <li>Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>) of Trend 149 Micro: CVE-2016-3793 150 <li>Ricky Wai of Google: CVE-2016-3749 151 <li>Roeland Krak: CVE-2016-3753 152 <li>Scott Bauer (<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): 153 CVE-2016-3797, CVE-2016-3813, CVE-2016-3815, CVE-2016-2501, CVE-2016-2502 154 <li>Vasily Vasilev: CVE-2016-2507 155 <li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of 156 Alibaba Inc.: CVE-2016-2508, CVE-2016-3755 157 <li>Wen Niu (<a href="https://twitter.com/NWMonster">@NWMonster</a>) of KeenLab 158 (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-3809 159 <li>Xiling Gong of Tencent Security Platform Department: CVE-2016-3745 160 <li>Yacong Gu of TCA Lab, Institute of Software, Chinese Academy of Sciences: 161 CVE-2016-3761 162 <li>Yongke Wang (<a href="https://twitter.com/Rudykewang">@Rudykewang</a>) of 163 Xuanwu LAB, Tencent: CVE-2016-2505 164 <li>Yongke Wang (<a href="https://twitter.com/Rudykewang">@Rudykewang</a>) and 165 Wei Wei (<a href="https://twitter.com/Danny__Wei">@Danny__Wei</a>) of Xuanwu 166 LAB, Tencent: CVE-2016-2506 167 <li>Yulong Zhang and Tao (Lenx) Wei of Baidu X-Lab: CVE-2016-3744</li> 168 </ul> 169 170 <h2 id="2016-07-01-details">2016-07-01 security patch levelSecurity vulnerability details</h2> 171 <p>In the sections below, we provide details for each of the security 172 vulnerabilities that apply to the 2016-07-01 patch level. 173 There is a description of the issue, a severity rationale, and a 174 table with the CVE, associated references, severity, updated Nexus devices, 175 updated AOSP versions (where applicable), and date reported. When available, we 176 will link the public change that addressed the issue to the bug ID, like the 177 AOSP change list. When multiple changes relate to a single bug, additional 178 references are linked to numbers following the bug ID.</p> 179 180 <h3 id="remote-code-execution-vulnerability-in-mediaserver"> 181 Remote code execution vulnerability in Mediaserver</h3> 182 <p>A remote code execution vulnerability in Mediaserver could enable an attacker 183 using a specially crafted file to cause memory corruption during media file and 184 data processing. This issue is rated as Critical due to the possibility of 185 remote code execution within the context of the Mediaserver process. The 186 Mediaserver process has access to audio and video streams, as well as access to 187 privileges that third-party apps could not normally access.</p> 188 <p>The affected functionality is provided as a core part of the operating system 189 and there are multiple applications that allow it to be reached with remote 190 content, most notably MMS and browser playback of media.</p> 191 192 <table> 193 <col width="19%"> 194 <col width="19%"> 195 <col width="10%"> 196 <col width="16%"> 197 <col width="17%"> 198 <col width="17%"> 199 <tr> 200 <th>CVE</th> 201 <th>References</th> 202 <th>Severity</th> 203 <th>Updated Nexus devices</th> 204 <th>Updated AOSP versions</th> 205 <th>Date reported</th> 206 </tr> 207 <tr> 208 <td>CVE-2016-2506</td> 209 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/e248db02fbab2ee9162940bc19f087fd7d96cb9d"> 210 A-28175045</a></td> 211 <td>Critical</td> 212 <td><a href="#all_nexus">All Nexus</a></td> 213 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 214 <td>Apr 11, 2016</td> 215 </tr> 216 <tr> 217 <td>CVE-2016-2505</td> 218 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/4f236c532039a61f0cf681d2e3c6e022911bbb5c"> 219 A-28333006</a></td> 220 <td>Critical</td> 221 <td><a href="#all_nexus">All Nexus</a></td> 222 <td>6.0, 6.0.1</td> 223 <td>Apr 21, 2016</td> 224 </tr> 225 <tr> 226 <td>CVE-2016-2507</td> 227 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/60547808ca4e9cfac50028c00c58a6ceb2319301"> 228 A-28532266</a></td> 229 <td>Critical</td> 230 <td><a href="#all_nexus">All Nexus</a></td> 231 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 232 <td>May 2, 2016</td> 233 </tr> 234 <tr> 235 <td>CVE-2016-2508</td> 236 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f81038006b4c59a5a148dcad887371206033c28f"> 237 A-28799341</a> 238 [<a href="https://android.googlesource.com/platform/frameworks/av/+/d112f7d0c1dbaf0368365885becb11ca8d3f13a4">2</a>] 239 </td> 240 <td>Critical</td> 241 <td><a href="#all_nexus">All Nexus</a></td> 242 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 243 <td>May 16, 2016</td> 244 </tr> 245 <tr> 246 <td>CVE-2016-3741</td> 247 <td><a href="https://android.googlesource.com/platform/external/libavc/+/e629194c62a9a129ce378e08cb1059a8a53f1795"> 248 A-28165661</a> 249 [<a href="https://android.googlesource.com/platform/external/libavc/+/cc676ebd95247646e67907ccab150fb77a847335">2</a>] 250 </td> 251 <td>Critical</td> 252 <td><a href="#all_nexus">All Nexus</a></td> 253 <td>6.0, 6.0.1</td> 254 <td>Google internal</td> 255 </tr> 256 <tr> 257 <td>CVE-2016-3742</td> 258 <td><a href="https://android.googlesource.com/platform/external/libavc/+/a583270e1c96d307469c83dc42bd3c5f1b9ef63f"> 259 A-28165659</a> 260 </td> 261 <td>Critical</td> 262 <td><a href="#all_nexus">All Nexus</a></td> 263 <td>6.0, 6.0.1</td> 264 <td>Google internal</td> 265 </tr> 266 <tr> 267 <td>CVE-2016-3743</td> 268 <td><a href="https://android.googlesource.com/platform/external/libavc/+/ecf6c7ce6d5a22d52160698aab44fc234c63291a"> 269 A-27907656</a> 270 </td> 271 <td>Critical</td> 272 <td><a href="#all_nexus">All Nexus</a></td> 273 <td>6.0, 6.0.1</td> 274 <td>Google internal</td> 275 </tr> 276 </table> 277 278 279 <h3 id="remote-code-execution-vulnerability-in-openssl-&-boringssl"> 280 Remote code execution vulnerability in OpenSSL & BoringSSL</h3> 281 <p>A remote code execution vulnerability in OpenSSL and BoringSSL could enable an 282 attacker using a specially crafted file to cause memory corruption during file 283 and data processing. This issue is rated as Critical due to the possibility of 284 remote code execution within the context of an affected process.</p> 285 286 <table> 287 <col width="19%"> 288 <col width="16%"> 289 <col width="10%"> 290 <col width="19%"> 291 <col width="18%"> 292 <col width="16%"> 293 <tr> 294 <th>CVE</th> 295 <th>References</th> 296 <th>Severity</th> 297 <th>Updated Nexus devices</th> 298 <th>Updated AOSP versions</th> 299 <th>Date reported</th> 300 </tr> 301 <tr> 302 <td>CVE-2016-2108</td> 303 <td><a href="https://android.googlesource.com/platform/external/boringssl/+/74750e1fb24149043a533497f79c577b704d6e30"> 304 A-28175332</a> 305 </td> 306 <td>Critical</td> 307 <td><a href="#all_nexus">All Nexus</a></td> 308 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 309 <td>May 3, 2016</td> 310 </tr> 311 </table> 312 313 <h3 id="remote-code-execution-vulnerability-in-bluetooth"> 314 Remote code execution vulnerability in Bluetooth</h3> 315 <p>A remote code execution vulnerability in Bluetooth could allow a proximal 316 attacker to execute arbitrary code during the pairing process. This issue is 317 rated as High due to the possibility of remote code execution during the 318 initialization of a Bluetooth device.</p> 319 320 <table> 321 <col width="19%"> 322 <col width="16%"> 323 <col width="10%"> 324 <col width="19%"> 325 <col width="18%"> 326 <col width="16%"> 327 <tr> 328 <th>CVE</th> 329 <th>References</th> 330 <th>Severity</th> 331 <th>Updated Nexus devices</th> 332 <th>Updated AOSP versions</th> 333 <th>Date reported</th> 334 </tr> 335 <tr> 336 <td>CVE-2016-3744</td> 337 <td><a href="https://android.googlesource.com/platform/system/bt/+/514139f4b40cbb035bb92f3e24d5a389d75db9e6"> 338 A-27930580</a></td> 339 <td>High</td> 340 <td><a href="#all_nexus">All Nexus</a></td> 341 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 342 <td>Mar 30, 2016</td> 343 </tr> 344 </table> 345 346 <h3 id="elevation-of-privilege-vulnerability-in-libpng"> 347 Elevation of privilege vulnerability in libpng</h3> 348 <p>An elevation of privilege vulnerability in libpng could enable a local malicious 349 application to execute arbitrary code within the context of an elevated system 350 application. This issue is rated as High because it could be used to gain local 351 access to elevated capabilities, such as 352 <a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> 353 or <a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 354 permissions privileges, which are not accessible to a third-party application.</p> 355 356 <table> 357 <col width="19%"> 358 <col width="16%"> 359 <col width="10%"> 360 <col width="19%"> 361 <col width="18%"> 362 <col width="16%"> 363 <tr> 364 <th>CVE</th> 365 <th>References</th> 366 <th>Severity</th> 367 <th>Updated Nexus devices</th> 368 <th>Updated AOSP versions</th> 369 <th>Date reported</th> 370 </tr> 371 <tr> 372 <td>CVE-2016-3751</td> 373 <td><a href="https://android.googlesource.com/platform/external/libpng/+/9d4853418ab2f754c2b63e091c29c5529b8b86ca"> 374 A-23265085</a> 375 </td> 376 <td>High</td> 377 <td><a href="#all_nexus">All Nexus</a></td> 378 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 379 <td>Dec 3, 2015</td> 380 </tr> 381 </table> 382 383 <h3 id="elevation-of-privilege-vulnerability-in-mediaserver"> 384 Elevation of privilege vulnerability in Mediaserver</h3> 385 <p>An elevation of privilege vulnerability in Mediaserver could enable a local 386 malicious application to execute arbitrary code within the context of an 387 elevated system application. This issue is rated as High because it could be 388 used to gain local access to elevated capabilities, such as 389 <a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> 390 or <a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 391 permissions privileges, which are not accessible to a third-party application.</p> 392 393 <table> 394 <col width="19%"> 395 <col width="16%"> 396 <col width="10%"> 397 <col width="19%"> 398 <col width="18%"> 399 <col width="16%"> 400 <tr> 401 <th>CVE</th> 402 <th>References</th> 403 <th>Severity</th> 404 <th>Updated Nexus devices</th> 405 <th>Updated AOSP versions</th> 406 <th>Date reported</th> 407 </tr> 408 <tr> 409 <td>CVE-2016-3745</td> 410 <td><a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/073a80800f341325932c66818ce4302b312909a4"> 411 A-28173666</a> 412 </td> 413 <td>High</td> 414 <td><a href="#all_nexus">All Nexus</a></td> 415 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 416 <td>Apr 10, 2016</td> 417 </tr> 418 <tr> 419 <td>CVE-2016-3746</td> 420 <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/5b82f4f90c3d531313714df4b936f92fb0ff15cf"> 421 A-27890802</a> 422 </td> 423 <td>High</td> 424 <td><a href="#all_nexus">All Nexus</a></td> 425 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 426 <td>Mar 27, 2016</td> 427 </tr> 428 <tr> 429 <td>CVE-2016-3747</td> 430 <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/4ed06d14080d8667d5be14eed200e378cba78345"> 431 A-27903498</a> 432 </td> 433 <td>High</td> 434 <td><a href="#all_nexus">All Nexus</a></td> 435 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 436 <td>Mar 28, 2016</td> 437 </tr> 438 </table> 439 440 <h3 id="elevation-of-privilege-vulnerability-in-sockets"> 441 Elevation of privilege vulnerability in sockets</h3> 442 <p>An elevation of privilege vulnerability in sockets could enable a local 443 malicious application to access system calls outside of its permissions level. 444 This issue is rated as High because it could permit a bypass of security 445 measures in place to increase the difficulty of attackers exploiting the 446 platform.</p> 447 448 <table> 449 <col width="19%"> 450 <col width="16%"> 451 <col width="10%"> 452 <col width="19%"> 453 <col width="18%"> 454 <col width="16%"> 455 <tr> 456 <th>CVE</th> 457 <th>References</th> 458 <th>Severity</th> 459 <th>Updated Nexus devices</th> 460 <th>Updated AOSP versions</th> 461 <th>Date reported</th> 462 </tr> 463 <tr> 464 <td>CVE-2016-3748</td> 465 <td><a href="https://android.googlesource.com/platform/external/sepolicy/+/556bb0f55324e8839d7b735a0de9bc31028e839e"> 466 A-28171804</a> 467 </td> 468 <td>High</td> 469 <td><a href="#all_nexus">All Nexus</a></td> 470 <td>6.0, 6.0.1</td> 471 <td>Apr 13, 2016</td> 472 </tr> 473 </table> 474 475 <h3 id="elevation-of-privilege-vulnerability-in-locksettingsservice"> 476 Elevation of privilege vulnerability in LockSettingsService</h3> 477 <p>An elevation of privilege vulnerability in the LockSettingsService could enable 478 a malicious application to reset the screen lock password without authorization 479 from the user. This issue is rated as High because it is a local bypass of user 480 interaction requirements for any developer or security settings modifications.</p> 481 482 <table> 483 <col width="19%"> 484 <col width="16%"> 485 <col width="10%"> 486 <col width="19%"> 487 <col width="17%"> 488 <col width="17%"> 489 <tr> 490 <th>CVE</th> 491 <th>References</th> 492 <th>Severity</th> 493 <th>Updated Nexus devices</th> 494 <th>Updated AOSP versions</th> 495 <th>Date reported</th> 496 </tr> 497 <tr> 498 <td>CVE-2016-3749</td> 499 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e83f0f6a5a6f35323f5367f99c8e287c440f33f5"> 500 A-28163930</a> 501 </td> 502 <td>High</td> 503 <td><a href="#all_nexus">All Nexus</a></td> 504 <td>6.0, 6.0.1</td> 505 <td>Google internal</td> 506 </tr> 507 </table> 508 509 <h3 id="elevation-of-privilege-vulnerability-in-framework-apis"> 510 Elevation of privilege vulnerability in Framework APIs</h3> 511 <p>An elevation of privilege vulnerability in the Parcels Framework APIs could 512 enable a local malicious application to bypass operating system protections that 513 isolate application data from other applications. This issue is rated as High 514 because it could be used to gain access to data that the application does not 515 have access to.</p> 516 517 <table> 518 <col width="19%"> 519 <col width="16%"> 520 <col width="10%"> 521 <col width="19%"> 522 <col width="17%"> 523 <col width="17%"> 524 <tr> 525 <th>CVE</th> 526 <th>References</th> 527 <th>Severity</th> 528 <th>Updated Nexus devices</th> 529 <th>Updated AOSP versions</th> 530 <th>Date reported</th> 531 </tr> 532 <tr> 533 <td>CVE-2016-3750</td> 534 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/54cb02ad733fb71b1bdf78590428817fb780aff8"> 535 A-28395952</a> 536 </td> 537 <td>High</td> 538 <td><a href="#all_nexus">All Nexus</a></td> 539 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 540 <td>Dec 16, 2015</td> 541 </tr> 542 </table> 543 544 <h3 id="elevation-of-privilege-vulnerability-in-choosertarget-service"> 545 Elevation of privilege vulnerability in ChooserTarget service</h3> 546 <p>An elevation of privilege vulnerability in the ChooserTarget service could 547 enable a local malicious application to execute code in the context of another 548 application. This issue is rated High because it could be used to access 549 Activities belonging to another application without permission.</p> 550 551 <table> 552 <col width="19%"> 553 <col width="16%"> 554 <col width="10%"> 555 <col width="19%"> 556 <col width="17%"> 557 <col width="17%"> 558 <tr> 559 <th>CVE</th> 560 <th>References</th> 561 <th>Severity</th> 562 <th>Updated Nexus devices</th> 563 <th>Updated AOSP versions</th> 564 <th>Date reported</th> 565 </tr> 566 <tr> 567 <td>CVE-2016-3752</td> 568 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/ddbf2db5b946be8fdc45c7b0327bf560b2a06988"> 569 A-28384423</a> 570 </td> 571 <td>High</td> 572 <td><a href="#all_nexus">All Nexus</a></td> 573 <td>6.0, 6.0.1</td> 574 <td>Google internal</td> 575 </tr> 576 </table> 577 578 <h3 id="information-disclosure-vulnerability-in-mediaserver"> 579 Information disclosure vulnerability in Mediaserver</h3> 580 <p>An information disclosure vulnerability in Mediaserver could enable a remote 581 attacker to access protected data normally only accessible to locally installed 582 apps that request permission. This issue is rated as High because it could be 583 used to access data without permission.</p> 584 585 <table> 586 <col width="19%"> 587 <col width="16%"> 588 <col width="10%"> 589 <col width="19%"> 590 <col width="18%"> 591 <col width="16%"> 592 <tr> 593 <th>CVE</th> 594 <th>References</th> 595 <th>Severity</th> 596 <th>Updated Nexus devices</th> 597 <th>Updated AOSP versions</th> 598 <th>Date reported</th> 599 </tr> 600 <tr> 601 <td>CVE-2016-3753</td> 602 <td>A-27210135</td> 603 <td>High</td> 604 <td>None*</td> 605 <td>4.4.4</td> 606 <td>Feb 15, 2016</td> 607 </tr> 608 </table> 609 <p>* Supported Nexus devices that have installed all available updates are not 610 affected by this vulnerability.</p> 611 612 <h3 id="information-disclosure-vulnerability-in-openssl"> 613 Information disclosure vulnerability in OpenSSL</h3> 614 <p>An information disclosure vulnerability in OpenSSL could enable a remote 615 attacker to access protected data normally only accessible to locally installed 616 apps that request permission. This issue is rated as High because it could be 617 used to access data without permission.</p> 618 619 <table> 620 <col width="19%"> 621 <col width="16%"> 622 <col width="10%"> 623 <col width="19%"> 624 <col width="18%"> 625 <col width="16%"> 626 <tr> 627 <th>CVE</th> 628 <th>References</th> 629 <th>Severity</th> 630 <th>Updated Nexus devices</th> 631 <th>Updated AOSP versions</th> 632 <th>Date reported</th> 633 </tr> 634 <tr> 635 <td>CVE-2016-2107</td> 636 <td>A-28550804</td> 637 <td>High</td> 638 <td>None*</td> 639 <td>4.4.4, 5.0.2, 5.1.1</td> 640 <td>April 13, 2016</td> 641 </tr> 642 </table> 643 <p>* Supported Nexus devices that have installed all available updates are not 644 affected by this vulnerability.</p> 645 646 <h3 id="denial-of-service-vulnerability-in-mediaserver"> 647 Denial of service vulnerability in Mediaserver</h3> 648 <p>A denial of service vulnerability in Mediaserver could enable an attacker to use 649 a specially crafted file to cause a device hang or reboot. This issue is rated 650 as High due to the possibility of a temporary remote denial of service.</p> 651 652 <table> 653 <col width="19%"> 654 <col width="19%"> 655 <col width="10%"> 656 <col width="16%"> 657 <col width="17%"> 658 <col width="17%"> 659 <tr> 660 <th>CVE</th> 661 <th>References</th> 662 <th>Severity</th> 663 <th>Updated Nexus devices</th> 664 <th>Updated AOSP versions</th> 665 <th>Date reported</th> 666 </tr> 667 <tr> 668 <td>CVE-2016-3754</td> 669 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6fdee2a83432b3b150d6a34f231c4e2f7353c01e"> 670 A-28615448</a> 671 [<a href="https://android.googlesource.com/platform/frameworks/av/+/e7142a0703bc93f75e213e96ebc19000022afed9">2</a>] 672 </td> 673 <td>High</td> 674 <td><a href="#all_nexus">All Nexus</a></td> 675 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 676 <td>May 5, 2016</td> 677 </tr> 678 <tr> 679 <td>CVE-2016-3755</td> 680 <td><a href="https://android.googlesource.com/platform/external/libavc/+/d4841f1161bdb5e13cb19e81af42437a634dd6ef"> 681 A-28470138</a> 682 </td> 683 <td>High</td> 684 <td><a href="#all_nexus">All Nexus</a></td> 685 <td>6.0, 6.0.1</td> 686 <td>Apr 29, 2016</td> 687 </tr> 688 <tr> 689 <td>CVE-2016-3756</td> 690 <td><a href="https://android.googlesource.com/platform/external/tremolo/+/659030a2e80c38fb8da0a4eb68695349eec6778b"> 691 A-28556125</a> 692 </td> 693 <td>High</td> 694 <td><a href="#all_nexus">All Nexus</a></td> 695 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 696 <td>Google internal</td> 697 </tr> 698 </table> 699 700 <h3 id="denial-of-service-vulnerability-in-libc"> 701 Denial of service vulnerability in libc</h3> 702 <p>A denial of service vulnerability in libc could enable an attacker to use a 703 specially crafted file to cause a device hang or reboot. This issue is rated as 704 High due to the possibility of remote denial of service.</p> 705 706 <table> 707 <col width="19%"> 708 <col width="16%"> 709 <col width="10%"> 710 <col width="19%"> 711 <col width="17%"> 712 <col width="17%"> 713 <tr> 714 <th>CVE</th> 715 <th>References</th> 716 <th>Severity</th> 717 <th>Updated Nexus devices</th> 718 <th>Updated AOSP versions</th> 719 <th>Date reported</th> 720 </tr> 721 <tr> 722 <td>CVE-2016-3818</td> 723 <td>A-28740702</td> 724 <td>High</td> 725 <td>None*</td> 726 <td>4.4.4</td> 727 <td>Google internal</td> 728 </tr> 729 </table> 730 <p>* Supported Nexus devices that have installed all available updates are not 731 affected by this vulnerability.</p> 732 733 <h3 id="elevation-of-privilege-vulnerability-in-lsof"> 734 Elevation of privilege vulnerability in lsof</h3> 735 <p>An elevation of privilege vulnerability in lsof could enable a local malicious 736 application to execute arbitrary code that could lead to a permanent device 737 compromise. This issue is rated as Moderate because it requires uncommon manual 738 steps.</p> 739 740 <table> 741 <col width="19%"> 742 <col width="16%"> 743 <col width="10%"> 744 <col width="19%"> 745 <col width="18%"> 746 <col width="16%"> 747 <tr> 748 <th>CVE</th> 749 <th>References</th> 750 <th>Severity</th> 751 <th>Updated Nexus devices</th> 752 <th>Updated AOSP versions</th> 753 <th>Date reported</th> 754 </tr> 755 <tr> 756 <td>CVE-2016-3757</td> 757 <td><a href="https://android.googlesource.com/platform/system/core/+/ae18eb014609948a40e22192b87b10efc680daa7"> 758 A-28175237</a> 759 </td> 760 <td>Moderate</td> 761 <td><a href="#all_nexus">All Nexus</a></td> 762 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 763 <td>Apr 11, 2016</td> 764 </tr> 765 </table> 766 767 <h3 id="elevation-of-privilege-vulnerability-in-dexclassloader"> 768 Elevation of privilege vulnerability in DexClassLoader</h3> 769 <p>An elevation of privilege vulnerability in the DexClassLoader could enable a 770 local malicious application to execute arbitrary code within the context of a 771 privileged process. This issue is rated as Moderate because it requires uncommon 772 manual steps.</p> 773 774 <table> 775 <col width="19%"> 776 <col width="16%"> 777 <col width="10%"> 778 <col width="19%"> 779 <col width="17%"> 780 <col width="17%"> 781 <tr> 782 <th>CVE</th> 783 <th>References</th> 784 <th>Severity</th> 785 <th>Updated Nexus devices</th> 786 <th>Updated AOSP versions</th> 787 <th>Date reported</th> 788 </tr> 789 <tr> 790 <td>CVE-2016-3758</td> 791 <td><a href="https://android.googlesource.com/platform/dalvik/+/338aeaf28e9981c15d0673b18487dba61eb5447c"> 792 A-27840771</a> 793 </td> 794 <td>Moderate</td> 795 <td><a href="#all_nexus">All Nexus</a></td> 796 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 797 <td>Google internal</td> 798 </tr> 799 </table> 800 801 <h3 id="elevation-of-privilege-vulnerability-in-framework-apis-2"> 802 Elevation of privilege vulnerability in Framework APIs</h3> 803 <p>An elevation of privilege vulnerability in the Framework APIs could enable a 804 local malicious application to request backup permissions and intercept all 805 backup data. This issue is rated as Moderate because it requires specific 806 permissions to bypass operating system protections that isolate application data 807 from other applications.</p> 808 809 <table> 810 <col width="19%"> 811 <col width="16%"> 812 <col width="10%"> 813 <col width="19%"> 814 <col width="17%"> 815 <col width="17%"> 816 <tr> 817 <th>CVE</th> 818 <th>References</th> 819 <th>Severity</th> 820 <th>Updated Nexus devices</th> 821 <th>Updated AOSP versions</th> 822 <th>Date reported</th> 823 </tr> 824 <tr> 825 <td>CVE-2016-3759</td> 826 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/9b8c6d2df35455ce9e67907edded1e4a2ecb9e28"> 827 A-28406080</a> 828 </td> 829 <td>Moderate</td> 830 <td><a href="#all_nexus">All Nexus</a></td> 831 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 832 <td>Google internal</td> 833 </tr> 834 </table> 835 836 <h3 id="elevation-of-privilege-vulnerability-in-bluetooth"> 837 Elevation of privilege vulnerability in Bluetooth</h3> 838 <p>An elevation of privilege vulnerability in the Bluetooth component could enable 839 a local attacker to add an authenticated Bluetooth device that persists for the 840 primary user. This issue is rated as Moderate because it could be used to gain 841 elevated capabilities without explicit user permission.</p> 842 843 <table> 844 <col width="19%"> 845 <col width="16%"> 846 <col width="10%"> 847 <col width="19%"> 848 <col width="18%"> 849 <col width="16%"> 850 <tr> 851 <th>CVE</th> 852 <th>References</th> 853 <th>Severity</th> 854 <th>Updated Nexus devices</th> 855 <th>Updated AOSP versions</th> 856 <th>Date reported</th> 857 </tr> 858 <tr> 859 <td>CVE-2016-3760</td> 860 <td><a href="https://android.googlesource.com/platform/hardware/libhardware/+/8b3d5a64c3c8d010ad4517f652731f09107ae9c5">A-27410683</a> 861 [<a href="https://android.googlesource.com/platform/system/bt/+/37c88107679d36c419572732b4af6e18bb2f7dce">2</a>] 862 [<a href="https://android.googlesource.com/platform/packages/apps/Bluetooth/+/122feb9a0b04290f55183ff2f0384c6c53756bd8">3</a>] 863 </td> 864 <td>Moderate</td> 865 <td><a href="#all_nexus">All Nexus</a></td> 866 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 867 <td>Feb 29, 2016</td> 868 </tr> 869 </table> 870 871 <h3 id="elevation-of-privilege-vulnerability-in-nfc"> 872 Elevation of privilege vulnerability in NFC</h3> 873 <p>An elevation of privilege vulnerability in NFC could enable a local malicious 874 background application to access information from a foreground application. This 875 issue is rated as Moderate because it could be used to gain elevated 876 capabilities without explicit user permission.</p> 877 878 <table> 879 <col width="19%"> 880 <col width="16%"> 881 <col width="10%"> 882 <col width="19%"> 883 <col width="18%"> 884 <col width="16%"> 885 <tr> 886 <th>CVE</th> 887 <th>References</th> 888 <th>Severity</th> 889 <th>Updated Nexus devices</th> 890 <th>Updated AOSP versions</th> 891 <th>Date reported</th> 892 </tr> 893 <tr> 894 <td>CVE-2016-3761</td> 895 <td><a href="https://android.googlesource.com/platform/packages/apps/Nfc/+/9ea802b5456a36f1115549b645b65c791eff3c2c"> 896 A-28300969</a> 897 </td> 898 <td>Moderate</td> 899 <td><a href="#all_nexus">All Nexus</a></td> 900 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 901 <td>Apr 20, 2016</td> 902 </tr> 903 </table> 904 905 <h3 id="elevation-of-privilege-vulnerability-in-sockets-2"> 906 Elevation of privilege vulnerability in sockets</h3> 907 <p>An elevation of privilege vulnerability in sockets could enable a local 908 malicious application to gain access to certain uncommon socket types possibly 909 leading to arbitrary code execution within the context of the kernel. This issue 910 is rated as Moderate because it could permit a bypass of security measures in 911 place to increase the difficulty of attackers exploiting the platform.</p> 912 913 <table> 914 <col width="19%"> 915 <col width="16%"> 916 <col width="10%"> 917 <col width="19%"> 918 <col width="18%"> 919 <col width="16%"> 920 <tr> 921 <th>CVE</th> 922 <th>References</th> 923 <th>Severity</th> 924 <th>Updated Nexus devices</th> 925 <th>Updated AOSP versions</th> 926 <th>Date reported</th> 927 </tr> 928 <tr> 929 <td>CVE-2016-3762</td> 930 <td><a href="https://android.googlesource.com/platform/external/sepolicy/+/abf0663ed884af7bc880a05e9529e6671eb58f39"> 931 A-28612709</a> 932 </td> 933 <td>Moderate</td> 934 <td><a href="#all_nexus">All Nexus</a></td> 935 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 936 <td>Apr 21, 2016</td> 937 </tr> 938 </table> 939 940 <h3 id="information-disclosure-vulnerability-in-proxy-auto-config"> 941 Information disclosure vulnerability in Proxy Auto-Config</h3> 942 <p>An information disclosure vulnerability in the Proxy Auto-Config component could 943 allow an application to access sensitive information. This issue is rated 944 Moderate because it could be used to access data without permission.</p> 945 946 <table> 947 <col width="19%"> 948 <col width="16%"> 949 <col width="10%"> 950 <col width="19%"> 951 <col width="18%"> 952 <col width="16%"> 953 <tr> 954 <th>CVE</th> 955 <th>References</th> 956 <th>Severity</th> 957 <th>Updated Nexus devices</th> 958 <th>Updated AOSP versions</th> 959 <th>Date reported</th> 960 </tr> 961 <tr> 962 <td>CVE-2016-3763</td> 963 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/ec2fc50d202d975447211012997fe425496c849c"> 964 A-27593919</a> 965 </td> 966 <td>Moderate</td> 967 <td><a href="#all_nexus">All Nexus</a></td> 968 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 969 <td>Mar 10, 2016</td> 970 </tr> 971 </table> 972 973 <h3 id="information-disclosure-vulnerability-in-mediaserver-2"> 974 Information disclosure vulnerability in Mediaserver</h3> 975 <p>An information disclosure vulnerability in Mediaserver could allow a local 976 malicious application to access sensitive information. This issue is rated as 977 Moderate because it could be used to access data without permission.</p> 978 979 <table> 980 <col width="19%"> 981 <col width="16%"> 982 <col width="10%"> 983 <col width="19%"> 984 <col width="18%"> 985 <col width="16%"> 986 <tr> 987 <th>CVE</th> 988 <th>References</th> 989 <th>Severity</th> 990 <th>Updated Nexus devices</th> 991 <th>Updated AOSP versions</th> 992 <th>Date reported</th> 993 </tr> 994 <tr> 995 <td>CVE-2016-3764</td> 996 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/daef4327fe0c75b0a90bb8627458feec7a301e1f"> 997 A-28377502</a> 998 </td> 999 <td>Moderate</td> 1000 <td><a href="#all_nexus">All Nexus</a></td> 1001 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1002 <td>Apr 25, 2016</td> 1003 </tr> 1004 <tr> 1005 <td>CVE-2016-3765</td> 1006 <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/d1c775d1d8d2ed117d1e026719b7f9f089716597"> 1007 A-28168413</a> 1008 </td> 1009 <td>Moderate</td> 1010 <td><a href="#all_nexus">All Nexus</a></td> 1011 <td>6.0, 6.0.1</td> 1012 <td>Apr 8, 2016</td> 1013 </tr> 1014 </table> 1015 1016 <h3 id="denial-of-service-vulnerability-in-mediaserver-2"> 1017 Denial of service vulnerability in Mediaserver</h3> 1018 <p>A denial of service vulnerability in Mediaserver could enable an attacker to use 1019 a specially crafted file to cause a device hang or reboot. This issue is rated 1020 as Moderate due to the possibility of remote denial of service.</p> 1021 1022 <table> 1023 <col width="19%"> 1024 <col width="16%"> 1025 <col width="10%"> 1026 <col width="19%"> 1027 <col width="18%"> 1028 <col width="16%"> 1029 <tr> 1030 <th>CVE</th> 1031 <th>References</th> 1032 <th>Severity</th> 1033 <th>Updated Nexus devices</th> 1034 <th>Updated AOSP versions</th> 1035 <th>Date reported</th> 1036 </tr> 1037 <tr> 1038 <td>CVE-2016-3766</td> 1039 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6fdee2a83432b3b150d6a34f231c4e2f7353c01e"> 1040 A-28471206</a> 1041 [<a href="https://android.googlesource.com/platform/frameworks/av/+/e7142a0703bc93f75e213e96ebc19000022afed9">2</a>] 1042 </td> 1043 <td>Moderate</td> 1044 <td><a href="#all_nexus">All Nexus</a></td> 1045 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1046 <td>Apr 29, 2016</td> 1047 </tr> 1048 </table> 1049 1050 <h2 id="2016-07-05-details">2016-07-05 security patch levelVulnerability details</h2> 1051 <p>In the sections below, we provide details for each of the security 1052 vulnerabilities that apply to the 2016-07-05 patch level. 1053 There is a description of the issue, a severity rationale, and a 1054 table with the CVE, associated references, severity, updated Nexus devices, 1055 updated AOSP versions (where applicable), and date reported. When available, we 1056 will link the public change that addressed the issue to the bug ID, like the 1057 AOSP change list. When multiple changes relate to a single bug, additional 1058 references are linked to numbers following the bug ID.</p> 1059 1060 <h3 id="elevation-of-privilege-vulnerability-in-qualcomm-gpu-driver"> 1061 Elevation of privilege vulnerability in Qualcomm GPU driver</h3> 1062 <p>An elevation of privilege vulnerability in the Qualcomm GPU driver could enable 1063 a local malicious application to execute arbitrary code within the context of 1064 the kernel. This issue is rated as Critical due to the possibility of a local 1065 permanent device compromise, which may require reflashing the operating system 1066 to repair the device.</p> 1067 1068 <table> 1069 <col width="19%"> 1070 <col width="16%"> 1071 <col width="10%"> 1072 <col width="27%"> 1073 <col width="16%"> 1074 <tr> 1075 <th>CVE</th> 1076 <th>References</th> 1077 <th>Severity</th> 1078 <th>Updated Nexus devices</th> 1079 <th>Date reported</th> 1080 </tr> 1081 <tr> 1082 <td>CVE-2016-2503</td> 1083 <td>A-28084795* 1084 QC-CR1006067</td> 1085 <td>Critical</td> 1086 <td>Nexus 5X, Nexus 6P</td> 1087 <td>Apr 5, 2016</td> 1088 </tr> 1089 <tr> 1090 <td>CVE-2016-2067</td> 1091 <td>A-28305757 1092 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.18/commit/?id=410cfa95f0a1cf58819cbfbd896f9aa45b004ac0"> 1093 QC-CR988993</a></td> 1094 <td>Critical</td> 1095 <td>Nexus 5X, Nexus 6, Nexus 6P</td> 1096 <td>Apr 20, 2016</td> 1097 </tr> 1098 </table> 1099 <p>* The patch for this issue is not publicly available. The update is contained in 1100 the latest binary drivers for Nexus devices available from the 1101 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1102 1103 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-wi-fi-driver"> 1104 Elevation of privilege vulnerability in MediaTek Wi-Fi driver</h3> 1105 <p>An elevation of privilege vulnerability in the MediaTek Wi-Fi driver could 1106 enable a local malicious application to execute arbitrary code within the 1107 context of the kernel. This issue is rated as Critical due to the possibility of 1108 a local permanent device compromise, which may require reflashing the operating 1109 system to repair the device.</p> 1110 1111 <table> 1112 <col width="19%"> 1113 <col width="20%"> 1114 <col width="10%"> 1115 <col width="23%"> 1116 <col width="16%"> 1117 <tr> 1118 <th>CVE</th> 1119 <th>References</th> 1120 <th>Severity</th> 1121 <th>Updated Nexus devices</th> 1122 <th>Date reported</th> 1123 </tr> 1124 <tr> 1125 <td>CVE-2016-3767</td> 1126 <td>A-28169363* 1127 <br>M-ALPS02689526</td> 1128 <td>Critical</td> 1129 <td>Android One</td> 1130 <td>Apr 6, 2016</td> 1131 </tr> 1132 </table> 1133 <p>* The patch for this issue is not publicly available. The update is contained in 1134 the latest binary drivers for Nexus devices available from the 1135 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1136 1137 <h3 1138 id="elevation-of-privilege-vulnerability-in-qualcomm-performance-component"> 1139 Elevation of privilege vulnerability in Qualcomm performance component</h3> 1140 <p>An elevation of privilege vulnerability in the Qualcomm performance component 1141 could enable a local malicious application to execute arbitrary code within the 1142 context of the kernel. This issue is rated as Critical severity due to the 1143 possibility of a local permanent device compromise, which may require reflashing 1144 the operating system to repair the device.</p> 1145 1146 <table> 1147 <col width="19%"> 1148 <col width="16%"> 1149 <col width="10%"> 1150 <col width="27%"> 1151 <col width="16%"> 1152 <tr> 1153 <th>CVE</th> 1154 <th>References</th> 1155 <th>Severity</th> 1156 <th>Updated Nexus devices</th> 1157 <th>Date reported</th> 1158 </tr> 1159 <tr> 1160 <td>CVE-2016-3768</td> 1161 <td>A-28172137* 1162 QC-CR1010644</td> 1163 <td>Critical</td> 1164 <td>Nexus 5, Nexus 6, Nexus 5X, Nexus 6P, Nexus 7 (2013)</td> 1165 <td>Apr 9, 2016</td> 1166 </tr> 1167 </table> 1168 <p>* The patch for this issue is not publicly available. The update is contained in 1169 the latest binary drivers for Nexus devices available from the 1170 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1171 1172 <h3 id="elevation-of-privilege-vulnerability-in-nvidia-video-driver"> 1173 Elevation of privilege vulnerability in NVIDIA video driver</h3> 1174 <p>An elevation of privilege vulnerability in the NVIDIA video driver could enable 1175 a local malicious application to execute arbitrary code within the context of 1176 the kernel. This issue is rated as Critical due to the possibility of a local 1177 permanent device compromise, which may require reflashing the operating system 1178 to repair the device.</p> 1179 1180 <table> 1181 <col width="19%"> 1182 <col width="20%"> 1183 <col width="10%"> 1184 <col width="23%"> 1185 <col width="16%"> 1186 <tr> 1187 <th>CVE</th> 1188 <th>References</th> 1189 <th>Severity</th> 1190 <th>Updated Nexus devices</th> 1191 <th>Date reported</th> 1192 </tr> 1193 <tr> 1194 <td>CVE-2016-3769</td> 1195 <td>A-28376656*<br> 1196 N-CVE20163769</td> 1197 <td>Critical</td> 1198 <td>Nexus 9</td> 1199 <td>Apr 18, 2016</td> 1200 </tr> 1201 </table> 1202 <p>* The patch for this issue is not publicly available. The update is contained in 1203 the latest binary drivers for Nexus devices available from the 1204 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1205 1206 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-drivers-device-specific"> 1207 Elevation of privilege vulnerability in MediaTek drivers (Device specific)</h3> 1208 <p>An elevation of privilege vulnerability in multiple MediaTek drivers could 1209 enable a local malicious application to execute arbitrary code within the 1210 context of the kernel. This issue is rated as Critical due to the possibility of 1211 a local permanent device compromise, which may require reflashing the operating 1212 system to repair the device.</p> 1213 1214 <table> 1215 <col width="19%"> 1216 <col width="20%"> 1217 <col width="10%"> 1218 <col width="23%"> 1219 <col width="16%"> 1220 <tr> 1221 <th>CVE</th> 1222 <th>References</th> 1223 <th>Severity</th> 1224 <th>Updated Nexus devices</th> 1225 <th>Date reported</th> 1226 </tr> 1227 <tr> 1228 <td>CVE-2016-3770</td> 1229 <td>A-28346752*<br> 1230 M-ALPS02703102</td> 1231 <td>Critical</td> 1232 <td>Android One</td> 1233 <td>Apr 22, 2016</td> 1234 </tr> 1235 <tr> 1236 <td>CVE-2016-3771</td> 1237 <td>A-29007611*<br> 1238 M-ALPS02703102</td> 1239 <td>Critical</td> 1240 <td>Android One</td> 1241 <td>Apr 22, 2016</td> 1242 </tr> 1243 <tr> 1244 <td>CVE-2016-3772</td> 1245 <td>A-29008188*<br> 1246 M-ALPS02703102</td> 1247 <td>Critical</td> 1248 <td>Android One</td> 1249 <td>Apr 22, 2016</td> 1250 </tr> 1251 <tr> 1252 <td>CVE-2016-3773</td> 1253 <td>A-29008363*<br> 1254 M-ALPS02703102</td> 1255 <td>Critical</td> 1256 <td>Android One</td> 1257 <td>Apr 22, 2016</td> 1258 </tr> 1259 <tr> 1260 <td>CVE-2016-3774</td> 1261 <td>A-29008609*<br> 1262 M-ALPS02703102</td> 1263 <td>Critical</td> 1264 <td>Android One</td> 1265 <td>Apr 22, 2016</td> 1266 </tr> 1267 </table> 1268 <p>* The patch for this issue is not publicly available. The update is contained in 1269 the latest binary drivers for Nexus devices available from the 1270 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1271 1272 <h3 id="elevation-of-privilege-vulnerability-in-kernel-file-system"> 1273 Elevation of privilege vulnerability in kernel file system</h3> 1274 <p>An elevation of privilege vulnerability in the kernel file system could enable a 1275 local malicious application to execute arbitrary code within the context of the 1276 kernel. This issue is rated as Critical due to the possibility of a local 1277 permanent device compromise, which may require reflashing the operating system 1278 to repair the device.</p> 1279 1280 <table> 1281 <col width="19%"> 1282 <col width="16%"> 1283 <col width="10%"> 1284 <col width="27%"> 1285 <col width="16%"> 1286 <tr> 1287 <th>CVE</th> 1288 <th>References</th> 1289 <th>Severity</th> 1290 <th>Updated Nexus devices</th> 1291 <th>Date reported</th> 1292 </tr> 1293 <tr> 1294 <td>CVE-2016-3775</td> 1295 <td>A-28588279*</td> 1296 <td>Critical</td> 1297 <td>Nexus 5X, Nexus 6, Nexus 6P and Nexus Player, Pixel C</td> 1298 <td>May 4, 2016</td> 1299 </tr> 1300 </table> 1301 <p>* The patch for this issue is not publicly available. The update is contained in 1302 the latest binary drivers for Nexus devices available from the 1303 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1304 1305 <h3 id="elevation-of-privilege-vulnerability-in-usb-driver"> 1306 Elevation of privilege vulnerability in USB driver</h3> 1307 <p>An elevation of privilege vulnerability in the USB driver could enable a local 1308 malicious application to execute arbitrary code within the context of the 1309 kernel. This issue is rated as Critical severity due to the possibility of a 1310 local permanent device compromise, which may require reflashing the operating 1311 system to repair the device.</p> 1312 1313 <table> 1314 <col width="19%"> 1315 <col width="16%"> 1316 <col width="10%"> 1317 <col width="27%"> 1318 <col width="16%"> 1319 <tr> 1320 <th>CVE</th> 1321 <th>References</th> 1322 <th>Severity</th> 1323 <th>Updated Nexus devices</th> 1324 <th>Date reported</th> 1325 </tr> 1326 <tr> 1327 <td>CVE-2015-8816</td> 1328 <td>A-28712303*</td> 1329 <td>Critical</td> 1330 <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, Pixel C</td> 1331 <td>May 4, 2016</td> 1332 </tr> 1333 </table> 1334 <p>* The patch for this issue is not publicly available. The update is contained in 1335 the latest binary drivers for Nexus devices available from the 1336 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1337 1338 <h3 id="elevation-of-privilege-vulnerability-in-qualcomm-components"> 1339 Elevation of privilege vulnerability in Qualcomm components</h3> 1340 <p>The table below contains security vulnerabilities affecting Qualcomm components 1341 including the bootloader, camera driver, character driver, networking, sound 1342 driver and video driver.</p> 1343 <p>The most severe of these issues is rated as Critical due to possibility of 1344 arbitrary code execution leading to the possibility of a local permanent device 1345 compromise, which may require reflashing the operating system to repair the 1346 device.</p> 1347 1348 <table> 1349 <col width="19%"> 1350 <col width="20%"> 1351 <col width="10%"> 1352 <col width="23%"> 1353 <col width="16%"> 1354 <tr> 1355 <th>CVE</th> 1356 <th>References</th> 1357 <th>Severity*</th> 1358 <th>Updated Nexus devices</th> 1359 <th>Date reported</th> 1360 </tr> 1361 <tr> 1362 <td>CVE-2014-9795</td> 1363 <td>A-28820720<br> 1364 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=ce2a0ea1f14298abc83729f3a095adab43342342">QC-CR681957</a> 1365 [<a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=fc3b31f81a1c128c2bcc745564a075022cd72a2e">2</a>] 1366 </td> 1367 <td>Critical</td> 1368 <td>Nexus 5</td> 1369 <td>Aug 8, 2014</td> 1370 </tr> 1371 <tr> 1372 <td>CVE-2014-9794</td> 1373 <td>A-28821172<br> 1374 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=f39085971c8c4e36cadbf8a72aabe6c7ff538ffa">QC-CR646385</a> 1375 </td> 1376 <td>Critical</td> 1377 <td>Nexus 7 (2013)</td> 1378 <td>Aug 8, 2014</td> 1379 </tr> 1380 <tr> 1381 <td>CVE-2015-8892</td> 1382 <td>A-28822807<br> 1383 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=fae606b9dd92c021e2419369975264f24f60db23">QC-CR902998</a> 1384 </td> 1385 <td>Critical</td> 1386 <td>Nexus 5X, Nexus 6P</td> 1387 <td>Dec 30, 2015</td> 1388 </tr> 1389 <tr> 1390 <td>CVE-2014-9781</td> 1391 <td>A-28410333<br> 1392 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/video/?h=LA.BF.1.1.3_rb1.12&id=a2b5237ad265ec634489c8b296d870827b2a1b13&context=20&ignorews=0&dt=0">QC-CR556471</a> 1393 </td> 1394 <td>High</td> 1395 <td>Nexus 7 (2013)</td> 1396 <td>Feb 6, 2014</td> 1397 </tr> 1398 <tr> 1399 <td>CVE-2014-9786</td> 1400 <td>A-28557260<br> 1401 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/patch/?id=2fb303d9c6ca080f253b10ed9384293ca69ad32b">QC-CR545979</a></td> 1402 <td>High</td> 1403 <td>Nexus 5, Nexus 7 (2013)</td> 1404 <td>Mar 13, 2014</td> 1405 </tr> 1406 <tr> 1407 <td>CVE-2014-9788</td> 1408 <td>A-28573112<br> 1409 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=73bfc22aa70cc0b7e6709381125a0a42aa72a4f2">QC-CR548872</a></td> 1410 <td>High</td> 1411 <td>Nexus 5</td> 1412 <td>Mar 13, 2014</td> 1413 </tr> 1414 <tr> 1415 <td>CVE-2014-9779</td> 1416 <td>A-28598347<br> 1417 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c?h=LA.BF.1.1.3_rb1.12&id=0b5f49b360afdebf8ef55df1e48ec141b3629621">QC-CR548679</a></td> 1418 <td>High</td> 1419 <td>Nexus 5</td> 1420 <td>Mar 13, 2014</td> 1421 </tr> 1422 <tr> 1423 <td>CVE-2014-9780</td> 1424 <td>A-28602014<br> 1425 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=b5bb13e1f738f90df11e0c17f843c73999a84a54">QC-CR542222</a></td> 1426 <td>High</td> 1427 <td>Nexus 5, Nexus 5X, Nexus 6P</td> 1428 <td>Mar 13, 2014</td> 1429 </tr> 1430 <tr> 1431 <td>CVE-2014-9789</td> 1432 <td>A-28749392<br> 1433 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=5720ed5c3a786e3ba0a2428ac45da5d7ec996b4e">QC-CR556425</a></td> 1434 <td>High</td> 1435 <td>Nexus 5</td> 1436 <td>Mar 13, 2014</td> 1437 </tr> 1438 <tr> 1439 <td>CVE-2014-9793</td> 1440 <td>A-28821253<br> 1441 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=0dcccecc4a6a9a9b3314cb87b2be8b52df1b7a81">QC-CR580567</a></td> 1442 <td>High</td> 1443 <td>Nexus 7 (2013)</td> 1444 <td>Mar 13, 2014</td> 1445 </tr> 1446 <tr> 1447 <td>CVE-2014-9782</td> 1448 <td>A-28431531<br> 1449 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/patch/?id=2e57a46ab2ba7299d99d9cdc1382bd1e612963fb">QC-CR511349</a></td> 1450 <td>High</td> 1451 <td>Nexus 5, Nexus 7 (2013)</td> 1452 <td>Mar 31, 2014</td> 1453 </tr> 1454 <tr> 1455 <td>CVE-2014-9783</td> 1456 <td>A-28441831<br> 1457 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=2b1050b49a9a5f7bb57006648d145e001a3eaa8b">QC-CR511382</a> 1458 [<a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=a7502f4f801bb95bff73617309835bb7a016cde5">2</a>]</td> 1459 <td>High</td> 1460 <td>Nexus 7 (2013)</td> 1461 <td>Mar 31, 2014</td> 1462 </tr> 1463 <tr> 1464 <td>CVE-2014-9785</td> 1465 <td>A-28469042<br> 1466 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=b4338420db61f029ca6713a89c41b3a5852b20ce">QC-CR545747</a></td> 1467 <td>High</td> 1468 <td>Nexus 7 (2013)</td> 1469 <td>Mar 31, 2014</td> 1470 </tr> 1471 <tr> 1472 <td>CVE-2014-9787</td> 1473 <td>A-28571496<br> 1474 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=528400ae4cba715f6c9ff4a2657dafd913f30b8b">QC-CR545764</a></td> 1475 <td>High</td> 1476 <td>Nexus 7 (2013)</td> 1477 <td>Mar 31, 2014</td> 1478 </tr> 1479 <tr> 1480 <td>CVE-2014-9784</td> 1481 <td>A-28442449<br> 1482 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=36503d639cedcc73880974ed92132247576e72ba">QC-CR585147</a></td> 1483 <td>High</td> 1484 <td>Nexus 5, Nexus 7 (2013)</td> 1485 <td>Apr 30, 2014</td> 1486 </tr> 1487 <tr> 1488 <td>CVE-2014-9777</td> 1489 <td>A-28598501<br> 1490 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=17bfaf64ad503d2e6607d2d3e0956f25bf07eb43">QC-CR563654</a></td> 1491 <td>High</td> 1492 <td>Nexus 5, Nexus 7 (2013)</td> 1493 <td>Apr 30, 2014</td> 1494 </tr> 1495 <tr> 1496 <td>CVE-2014-9778</td> 1497 <td>A-28598515<br> 1498 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=af85054aa6a1bcd38be2354921f2f80aef1440e5">QC-CR563694</a></td> 1499 <td>High</td> 1500 <td>Nexus 5, Nexus 7 (2013)</td> 1501 <td>Apr 30, 2014</td> 1502 </tr> 1503 <tr> 1504 <td>CVE-2014-9790</td> 1505 <td>A-28769136<br> 1506 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=6ed921bda8cbb505e8654dfc1095185b0bccc38e">QC-CR545716</a> 1507 [<a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit?h=LA.BF.1.1.3_rb1.12&id=9bc30c0d1832f7dd5b6fa10d5e48a29025176569">2</a>]</td> 1508 <td>High</td> 1509 <td>Nexus 5, Nexus 7 (2013)</td> 1510 <td>Apr 30, 2014</td> 1511 </tr> 1512 <tr> 1513 <td>CVE-2014-9792</td> 1514 <td>A-28769399<br> 1515 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=a3e3dd9fc0a2699ae053ffd3efb52cdc73ad94cd">QC-CR550606</a></td> 1516 <td>High</td> 1517 <td>Nexus 5</td> 1518 <td>Apr 30, 2014</td> 1519 </tr> 1520 <tr> 1521 <td>CVE-2014-9797</td> 1522 <td>A-28821090<br> 1523 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=3312737f3e1ec84dd67ee0622c7dd031083f71a4">QC-CR674071</a></td> 1524 <td>High</td> 1525 <td>Nexus 5</td> 1526 <td>Jul 3, 2014</td> 1527 </tr> 1528 <tr> 1529 <td>CVE-2014-9791</td> 1530 <td>A-28803396<br> 1531 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=9aabfc9e7775abbbcf534cdecccc4f12ee423b27">QC-CR659364</a></td> 1532 <td>High</td> 1533 <td>Nexus 7 (2013)</td> 1534 <td>Aug 29, 2014</td> 1535 </tr> 1536 <tr> 1537 <td>CVE-2014-9796</td> 1538 <td>A-28820722<br> 1539 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=2e21b3a57cac7fb876bcf43244d7cc3dc1f6030d">QC-CR684756</a></td> 1540 <td>High</td> 1541 <td>Nexus 5, Nexus 7 (2013)</td> 1542 <td>Sep 30, 2014</td> 1543 </tr> 1544 <tr> 1545 <td>CVE-2014-9800</td> 1546 <td>A-28822150<br> 1547 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=6390f200d966dc13cf61bb5abbe3110447ca82b5">QC-CR692478</a></td> 1548 <td>High</td> 1549 <td>Nexus 5, Nexus 7 (2013)</td> 1550 <td>Oct 31, 2014</td> 1551 </tr> 1552 <tr> 1553 <td>CVE-2014-9799</td> 1554 <td>A-28821731<br> 1555 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=c2119f1fba46f3b6e153aa018f15ee46fe6d5b76">QC-CR691916</a></td> 1556 <td>High</td> 1557 <td>Nexus 5, Nexus 7 (2013)</td> 1558 <td>Oct 31, 2014</td> 1559 </tr> 1560 <tr> 1561 <td>CVE-2014-9801</td> 1562 <td>A-28822060<br> 1563 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=cf8f5a105bafda906ccb7f149d1a5b8564ce20c0">QC-CR705078</a></td> 1564 <td>High</td> 1565 <td>Nexus 5</td> 1566 <td>Nov 28, 2014</td> 1567 </tr> 1568 <tr> 1569 <td>CVE-2014-9802</td> 1570 <td>A-28821965<br> 1571 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=222e0ec9bc755bfeaa74f9a0052b7c709a4ad054">QC-CR705108</a></td> 1572 <td>High</td> 1573 <td>Nexus 5, Nexus 7 (2013)</td> 1574 <td>Dec 31, 2014</td> 1575 </tr> 1576 <tr> 1577 <td>CVE-2015-8891</td> 1578 <td>A-28842418<br> 1579 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=4f829bb52d0338c87bc6fbd0414b258f55cc7c62">QC-CR813930</a></td> 1580 <td>High</td> 1581 <td>Nexus 5, Nexus 7 (2013)</td> 1582 <td>May 29, 2015</td> 1583 </tr> 1584 <tr> 1585 <td>CVE-2015-8888</td> 1586 <td>A-28822465<br> 1587 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=1321f34f1ebcff61ad7e65e507cfd3e9028af19b">QC-CR813933</a></td> 1588 <td>High</td> 1589 <td>Nexus 5</td> 1590 <td>Jun 30, 2015</td> 1591 </tr> 1592 <tr> 1593 <td>CVE-2015-8889</td> 1594 <td>A-28822677<br> 1595 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=fa774e023554427ee14d7a49181e9d4afbec035e">QC-CR804067</a></td> 1596 <td>High</td> 1597 <td>Nexus 6P</td> 1598 <td>Jun 30, 2015</td> 1599 </tr> 1600 <tr> 1601 <td>CVE-2015-8890</td> 1602 <td>A-28822878<br> 1603 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=e22aca36da2bb6f5016f3c885eb8c8ff85c115e4">QC-CR823461</a></td> 1604 <td>High</td> 1605 <td>Nexus 5, Nexus 7 (2013)</td> 1606 <td>Aug 19, 2015</td> 1607 </tr> 1608 </table> 1609 <p>* The severity rating for these issues is provided directly by Qualcomm.</p> 1610 1611 <h3 id="elevation-of-privilege-vulnerability-in-qualcomm-usb-driver"> 1612 Elevation of privilege vulnerability in Qualcomm USB driver</h3> 1613 <p>An elevation of privilege vulnerability in the Qualcomm USB driver could enable 1614 a local malicious application to execute arbitrary code within the context of 1615 the kernel. This issue is rated as High because it first requires compromising a 1616 privileged process.</p> 1617 1618 <table> 1619 <col width="19%"> 1620 <col width="16%"> 1621 <col width="10%"> 1622 <col width="27%"> 1623 <col width="16%"> 1624 <tr> 1625 <th>CVE</th> 1626 <th>References</th> 1627 <th>Severity</th> 1628 <th>Updated Nexus devices</th> 1629 <th>Date reported</th> 1630 </tr> 1631 <tr> 1632 <td>CVE-2016-2502</td> 1633 <td>A-27657963 1634 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=0bc45d7712eabe315ce8299a49d16433c3801156">QC-CR997044</a></td> 1635 <td>High</td> 1636 <td>Nexus 5X, Nexus 6P</td> 1637 <td>Mar 11, 2016</td> 1638 </tr> 1639 </table> 1640 1641 <h3 id="elevation-of-privilege-vulnerability-in-qualcomm-wi-fi-driver"> 1642 Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</h3> 1643 <p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could 1644 enable a local malicious application to execute arbitrary code within the 1645 context of the kernel. This issue is rated as High because it first requires 1646 compromising a privileged process.</p> 1647 1648 <table> 1649 <col width="19%"> 1650 <col width="16%"> 1651 <col width="10%"> 1652 <col width="27%"> 1653 <col width="16%"> 1654 <tr> 1655 <th>CVE</th> 1656 <th>References</th> 1657 <th>Severity</th> 1658 <th>Updated Nexus devices</th> 1659 <th>Date reported</th> 1660 </tr> 1661 <tr> 1662 <td>CVE-2016-3792</td> 1663 <td>A-27725204 1664 <a href="https://us.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=28d4f0c1f712bffb4aa5b47f06e97d5a9fa06d29">QC-CR561022</a></td> 1665 <td>High</td> 1666 <td>Nexus 7 (2013)</td> 1667 <td>Mar 17, 2016</td> 1668 </tr> 1669 </table> 1670 1671 <h3 id="elevation-of-privilege-vulnerability-in-qualcomm-camera-driver"> 1672 Elevation of privilege vulnerability in Qualcomm camera driver</h3> 1673 <p>An elevation of privilege vulnerability in the Qualcomm camera driver could 1674 enable a local malicious application to execute arbitrary code within the 1675 context of the kernel. This issue is rated as High because it first requires 1676 compromising a privileged process.</p> 1677 1678 <table> 1679 <col width="19%"> 1680 <col width="16%"> 1681 <col width="10%"> 1682 <col width="27%"> 1683 <col width="16%"> 1684 <tr> 1685 <th>CVE</th> 1686 <th>References</th> 1687 <th>Severity</th> 1688 <th>Updated Nexus devices</th> 1689 <th>Date reported</th> 1690 </tr> 1691 <tr> 1692 <td>CVE-2016-2501</td> 1693 <td>A-27890772* 1694 QC-CR1001092</td> 1695 <td>High</td> 1696 <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013)</td> 1697 <td>Mar 27, 2016</td> 1698 </tr> 1699 </table> 1700 <p>* The patch for this issue is not publicly available. The update is contained in 1701 the latest binary drivers for Nexus devices available from the 1702 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1703 1704 <h3 id="elevation-of-privilege-vulnerability-in-nvidia-camera-driver"> 1705 Elevation of privilege vulnerability in NVIDIA camera driver</h3> 1706 <p>An elevation of privilege vulnerability in the NVIDIA camera driver could enable 1707 a local malicious application to execute arbitrary code within the context of 1708 the kernel. This issue is rated as High because it first requires compromising a 1709 privileged process.</p> 1710 1711 <table> 1712 <col width="19%"> 1713 <col width="20%"> 1714 <col width="10%"> 1715 <col width="23%"> 1716 <col width="16%"> 1717 <tr> 1718 <th>CVE</th> 1719 <th>References</th> 1720 <th>Severity</th> 1721 <th>Updated Nexus devices</th> 1722 <th>Date reported</th> 1723 </tr> 1724 <tr> 1725 <td>CVE-2016-3793</td> 1726 <td>A-28026625*<br> 1727 N-CVE20163793</td> 1728 <td>High</td> 1729 <td>Nexus 9</td> 1730 <td>Apr 5, 2016</td> 1731 </tr> 1732 </table> 1733 <p>* The patch for this issue is not publicly available. The update is contained in 1734 the latest binary drivers for Nexus devices available from the 1735 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1736 1737 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-power-driver"> 1738 Elevation of privilege vulnerability in MediaTek power driver</h3> 1739 <p>An elevation of privilege in the MediaTek power driver could enable a local 1740 malicious application to execute arbitrary code within the context of the 1741 kernel. This issue is rated as High because it first requires compromising a 1742 privileged process.</p> 1743 1744 <table> 1745 <col width="19%"> 1746 <col width="20%"> 1747 <col width="10%"> 1748 <col width="23%"> 1749 <col width="16%"> 1750 <tr> 1751 <th>CVE</th> 1752 <th>References</th> 1753 <th>Severity</th> 1754 <th>Updated Nexus devices</th> 1755 <th>Date reported</th> 1756 </tr> 1757 <tr> 1758 <td>CVE-2016-3795</td> 1759 <td>A-28085222*<br> 1760 M-ALPS02677244</td> 1761 <td>High</td> 1762 <td>Android One</td> 1763 <td>Apr 7, 2016</td> 1764 </tr> 1765 <tr> 1766 <td>CVE-2016-3796</td> 1767 <td>A-29008443*<br> 1768 M-ALPS02677244</td> 1769 <td>High</td> 1770 <td>Android One</td> 1771 <td>Apr 7, 2016</td> 1772 </tr> 1773 </table> 1774 <p>* The patch for this issue is not publicly available. The update is contained in 1775 the latest binary drivers for Nexus devices available from the 1776 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1777 1778 <h3 id="elevation-of-privilege-vulnerability-in-qualcomm-wi-fi-driver-2"> 1779 Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</h3> 1780 <p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could 1781 enable a local malicious application to execute arbitrary code within the 1782 context of the kernel. This issue is rated as High because it first requires 1783 compromising a privileged process.</p> 1784 1785 <table> 1786 <col width="19%"> 1787 <col width="16%"> 1788 <col width="10%"> 1789 <col width="27%"> 1790 <col width="16%"> 1791 <tr> 1792 <th>CVE</th> 1793 <th>References</th> 1794 <th>Severity</th> 1795 <th>Updated Nexus devices</th> 1796 <th>Date reported</th> 1797 </tr> 1798 <tr> 1799 <td>CVE-2016-3797</td> 1800 <td>A-28085680* 1801 QC-CR1001450</td> 1802 <td>High</td> 1803 <td>Nexus 5X</td> 1804 <td>Apr 7, 2016</td> 1805 </tr> 1806 </table> 1807 <p>* The patch for this issue is not publicly available. The update is contained in 1808 the latest binary drivers for Nexus devices available from the 1809 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1810 1811 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-hardware-sensor-driver"> 1812 Elevation of privilege vulnerability in MediaTek hardware sensor driver</h3> 1813 <p>An elevation of privilege vulnerability in the MediaTek hardware sensor driver 1814 could enable a local malicious application to execute arbitrary code within the 1815 context of the kernel. This issue is rated as High because it first requires 1816 compromising a privileged process.</p> 1817 1818 <table> 1819 <col width="19%"> 1820 <col width="20%"> 1821 <col width="10%"> 1822 <col width="23%"> 1823 <col width="16%"> 1824 <tr> 1825 <th>CVE</th> 1826 <th>References</th> 1827 <th>Severity</th> 1828 <th>Updated Nexus devices</th> 1829 <th>Date reported</th> 1830 </tr> 1831 <tr> 1832 <td>CVE-2016-3798</td> 1833 <td>A-28174490*<br> 1834 M-ALPS02703105</td> 1835 <td>High</td> 1836 <td>Android One</td> 1837 <td>Apr 11, 2016</td> 1838 </tr> 1839 </table> 1840 <p>* The patch for this issue is not publicly available. The update is contained in 1841 the latest binary drivers for Nexus devices available from the 1842 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1843 1844 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-video-driver"> 1845 Elevation of privilege vulnerability in MediaTek video driver</h3> 1846 <p>An elevation of privilege vulnerability in the MediaTek video driver could 1847 enable a local malicious application to execute arbitrary code within the 1848 context of the kernel. This issue is rated as High because it first requires 1849 compromising a privileged process.</p> 1850 1851 <table> 1852 <col width="19%"> 1853 <col width="20%"> 1854 <col width="10%"> 1855 <col width="23%"> 1856 <col width="16%"> 1857 <tr> 1858 <th>CVE</th> 1859 <th>References</th> 1860 <th>Severity</th> 1861 <th>Updated Nexus devices</th> 1862 <th>Date reported</th> 1863 </tr> 1864 <tr> 1865 <td>CVE-2016-3799</td> 1866 <td>A-28175025*<br> 1867 M-ALPS02693738</td> 1868 <td>High</td> 1869 <td>Android One</td> 1870 <td>Apr 11, 2016</td> 1871 </tr> 1872 <tr> 1873 <td>CVE-2016-3800</td> 1874 <td>A-28175027*<br> 1875 M-ALPS02693739</td> 1876 <td>High</td> 1877 <td>Android One</td> 1878 <td>Apr 11, 2016</td> 1879 </tr> 1880 </table> 1881 <p>* The patch for this issue is not publicly available. The update is contained in 1882 the latest binary drivers for Nexus devices available from the 1883 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1884 1885 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-gps-driver"> 1886 Elevation of privilege vulnerability in MediaTek GPS driver</h3> 1887 <p>An elevation of privilege vulnerability in the MediaTek GPS driver could enable 1888 a local malicious application to execute arbitrary code within the context of 1889 the kernel. This issue is rated as High because it first requires compromising a 1890 privileged process.</p> 1891 1892 <table> 1893 <col width="19%"> 1894 <col width="20%"> 1895 <col width="10%"> 1896 <col width="23%"> 1897 <col width="16%"> 1898 <tr> 1899 <th>CVE</th> 1900 <th>References</th> 1901 <th>Severity</th> 1902 <th>Updated Nexus devices</th> 1903 <th>Date reported</th> 1904 </tr> 1905 <tr> 1906 <td>CVE-2016-3801</td> 1907 <td>A-28174914*<br> 1908 M-ALPS02688853</td> 1909 <td>High</td> 1910 <td>Android One</td> 1911 <td>Apr 11, 2016</td> 1912 </tr> 1913 </table> 1914 <p>* The patch for this issue is not publicly available. The update is contained in 1915 the latest binary drivers for Nexus devices available from the 1916 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1917 1918 <h3 id="elevation-of-privilege-vulnerability-in-kernel-file-system-2"> 1919 Elevation of privilege vulnerability in kernel file system</h3> 1920 <p>An elevation of privilege vulnerability in the kernel file system could enable a 1921 local malicious application to execute arbitrary code within the context of the 1922 kernel. This issue is rated as High because it first requires compromising a 1923 privileged process.</p> 1924 1925 <table> 1926 <col width="19%"> 1927 <col width="16%"> 1928 <col width="10%"> 1929 <col width="27%"> 1930 <col width="16%"> 1931 <tr> 1932 <th>CVE</th> 1933 <th>References</th> 1934 <th>Severity</th> 1935 <th>Updated Nexus devices</th> 1936 <th>Date reported</th> 1937 </tr> 1938 <tr> 1939 <td>CVE-2016-3802</td> 1940 <td>A-28271368*</td> 1941 <td>High</td> 1942 <td>Nexus 9</td> 1943 <td>Apr 19, 2016</td> 1944 </tr> 1945 <tr> 1946 <td>CVE-2016-3803</td> 1947 <td>A-28588434*</td> 1948 <td>High</td> 1949 <td>Nexus 5X, Nexus 6P</td> 1950 <td>May 4, 2016</td> 1951 </tr> 1952 </table> 1953 <p>* The patch for this issue is not publicly available. The update is contained in 1954 the latest binary drivers for Nexus devices available from the 1955 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1956 1957 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-power-management-driver"> 1958 Elevation of privilege vulnerability in MediaTek power management driver</h3> 1959 <p>An elevation of privilege in the MediaTek power management driver could enable a 1960 local malicious application to execute arbitrary code within the context of the 1961 kernel. This issue is rated as High because it first requires compromising a 1962 privileged process.</p> 1963 1964 <table> 1965 <col width="19%"> 1966 <col width="20%"> 1967 <col width="10%"> 1968 <col width="23%"> 1969 <col width="16%"> 1970 <tr> 1971 <th>CVE</th> 1972 <th>References</th> 1973 <th>Severity</th> 1974 <th>Updated Nexus devices</th> 1975 <th>Date reported</th> 1976 </tr> 1977 <tr> 1978 <td>CVE-2016-3804</td> 1979 <td>A-28332766*<br> 1980 M-ALPS02694410</td> 1981 <td>High</td> 1982 <td>Android One</td> 1983 <td>Apr 20, 2016</td> 1984 </tr> 1985 <tr> 1986 <td>CVE-2016-3805</td> 1987 <td>A-28333002*<br> 1988 M-ALPS02694412</td> 1989 <td>High</td> 1990 <td>Android One</td> 1991 <td>Apr 21, 2016</td> 1992 </tr> 1993 </table> 1994 <p>* The patch for this issue is not publicly available. The update is contained in 1995 the latest binary drivers for Nexus devices available from the 1996 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1997 1998 <h3 id="elevation-of-privilege-vulnerability-in-mediatek-display-driver"> 1999 Elevation of privilege vulnerability in MediaTek display driver</h3> 2000 <p>An elevation of privilege vulnerability in the MediaTek display driver could 2001 enable a local malicious application to execute arbitrary code within the 2002 context of the kernel. This issue is rated as High because it first requires 2003 compromising a privileged process.</p> 2004 2005 <table> 2006 <col width="19%"> 2007 <col width="20%"> 2008 <col width="10%"> 2009 <col width="23%"> 2010 <col width="16%"> 2011 <tr> 2012 <th>CVE</th> 2013 <th>References</th> 2014 <th>Severity</th> 2015 <th>Updated Nexus devices</th> 2016 <th>Date reported</th> 2017 </tr> 2018 <tr> 2019 <td>CVE-2016-3806</td> 2020 <td>A-28402341*<br> 2021 M-ALPS02715341</td> 2022 <td>High</td> 2023 <td>Android One</td> 2024 <td>Apr 26, 2016</td> 2025 </tr> 2026 </table> 2027 <p>* The patch for this issue is not publicly available. The update is contained in 2028 the latest binary drivers for Nexus devices available from the 2029 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2030 2031 <h3 id="elevation-of-privilege-vulnerability-in-serial-peripheral-interface-driver"> 2032 Elevation of privilege vulnerability in serial peripheral interface driver</h3> 2033 <p>An elevation of privilege vulnerability in the serial peripheral interface 2034 driver could enable a local malicious application to execute arbitrary code 2035 within the context of the kernel. This issue is rated as High because it first 2036 requires compromising a privileged process.</p> 2037 2038 <table> 2039 <col width="19%"> 2040 <col width="16%"> 2041 <col width="10%"> 2042 <col width="27%"> 2043 <col width="16%"> 2044 <tr> 2045 <th>CVE</th> 2046 <th>References</th> 2047 <th>Severity</th> 2048 <th>Updated Nexus devices</th> 2049 <th>Date reported</th> 2050 </tr> 2051 <tr> 2052 <td>CVE-2016-3807</td> 2053 <td>A-28402196*</td> 2054 <td>High</td> 2055 <td>Nexus 5X, Nexus 6P</td> 2056 <td>Apr 26, 2016</td> 2057 </tr> 2058 <tr> 2059 <td>CVE-2016-3808</td> 2060 <td>A-28430009*</td> 2061 <td>High</td> 2062 <td>Pixel C</td> 2063 <td>Apr 26, 2016</td> 2064 </tr> 2065 </table> 2066 <p>* The patch for this issue is not publicly available. The update is contained in 2067 the latest binary drivers for Nexus devices available from the 2068 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2069 2070 <h3 id="elevation-of-privilege-vulnerability-in-qualcomm-sound-driver"> 2071 Elevation of privilege vulnerability in Qualcomm sound driver</h3> 2072 <p>An elevation of privilege vulnerability in the Qualcomm sound driver could 2073 enable a local malicious application to execute arbitrary code within the 2074 context of the kernel. This issue is rated as High severity because it first 2075 requires compromising a privileged process.</p> 2076 2077 <table> 2078 <col width="19%"> 2079 <col width="16%"> 2080 <col width="10%"> 2081 <col width="27%"> 2082 <col width="16%"> 2083 <tr> 2084 <th>CVE</th> 2085 <th>References</th> 2086 <th>Severity</th> 2087 <th>Updated Nexus devices</th> 2088 <th>Date reported</th> 2089 </tr> 2090 <tr> 2091 <td>CVE-2016-2068</td> 2092 <td>A-28470967 2093 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?h=APSS.FSM.3.0&id=01ee86da5a0cd788f134e360e2be517ef52b6b00">QC-CR1006609</a></td> 2094 <td>High</td> 2095 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 2096 <td>Apr 28, 2016</td> 2097 </tr> 2098 </table> 2099 2100 <h3 id="elevation-of-privilege-vulnerability-in-kernel"> 2101 Elevation of privilege vulnerability in kernel</h3> 2102 <p>An elevation of privilege vulnerability in the kernel could enable a local 2103 malicious application to execute arbitrary code within the context of the 2104 kernel. This issue is rated as High because it first requires compromising a 2105 privileged process.</p> 2106 2107 <table> 2108 <col width="19%"> 2109 <col width="20%"> 2110 <col width="10%"> 2111 <col width="23%"> 2112 <col width="16%"> 2113 <tr> 2114 <th>CVE</th> 2115 <th>References</th> 2116 <th>Severity</th> 2117 <th>Updated Nexus devices</th> 2118 <th>Date reported</th> 2119 </tr> 2120 <tr> 2121 <td>CVE-2014-9803</td> 2122 <td>A-28557020<br> 2123 <a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/arch/arm64/include/asm/pgtable.h?h=linux-3.10.y&id=5a0fdfada3a2aa50d7b947a2e958bf00cbe0d830"> 2124 Upstream kernel</a></td> 2125 <td>High</td> 2126 <td>Nexus 5X, Nexus 6P</td> 2127 <td>Google internal</td> 2128 </tr> 2129 </table> 2130 2131 <h3 2132 id="information-disclosure-vulnerability-in-networking-component"> 2133 Information disclosure vulnerability in networking component</h3> 2134 <p>An information disclosure vulnerability in the networking component could enable 2135 a local malicious application to access data outside of its permission levels. 2136 This issue is rated as High because it could be used to access sensitive data 2137 without explicit user permission.</p> 2138 2139 <table> 2140 <col width="19%"> 2141 <col width="16%"> 2142 <col width="10%"> 2143 <col width="27%"> 2144 <col width="16%"> 2145 <tr> 2146 <th>CVE</th> 2147 <th>References</th> 2148 <th>Severity</th> 2149 <th>Updated Nexus devices</th> 2150 <th>Date reported</th> 2151 </tr> 2152 <tr> 2153 <td>CVE-2016-3809</td> 2154 <td>A-27532522*</td> 2155 <td>High</td> 2156 <td><a href="#all_nexus">All Nexus</a></td> 2157 <td>Mar 5, 2016</td> 2158 </tr> 2159 </table> 2160 <p>* The patch for this issue is not publicly available. The update is contained in 2161 the latest binary drivers for Nexus devices available from the 2162 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2163 2164 <h3 id="information-disclosure-vulnerability-in-mediatek-wi-fi-driver"> 2165 Information disclosure vulnerability in MediaTek Wi-Fi driver</h3> 2166 <p>An information disclosure vulnerability in the MediaTek Wi-Fi driver could 2167 enable a local malicious application to access data outside of its permission 2168 levels. This issue is rated as High because it could be used to access sensitive 2169 data without explicit user permission.</p> 2170 2171 <table> 2172 <col width="19%"> 2173 <col width="20%"> 2174 <col width="10%"> 2175 <col width="23%"> 2176 <col width="16%"> 2177 <tr> 2178 <th>CVE</th> 2179 <th>References</th> 2180 <th>Severity</th> 2181 <th>Updated Nexus devices</th> 2182 <th>Date reported</th> 2183 </tr> 2184 <tr> 2185 <td>CVE-2016-3810</td> 2186 <td>A-28175522*<br> 2187 M-ALPS02694389</td> 2188 <td>High</td> 2189 <td>Android One</td> 2190 <td>Apr 12, 2016</td> 2191 </tr> 2192 </table> 2193 <p>* The patch for this issue is not publicly available. The update is contained in 2194 the latest binary drivers for Nexus devices available from the 2195 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2196 2197 <h3 id="elevation-of-privilege-vulnerability-in-kernel-video-driver"> 2198 Elevation of privilege vulnerability in kernel video driver</h3> 2199 <p>An elevation of privilege vulnerability in the kernel video driver could enable 2200 a local malicious application to execute arbitrary code within the context of 2201 the kernel. This issue is rated as Moderate because it first requires 2202 compromising a privileged process.</p> 2203 2204 <table> 2205 <col width="19%"> 2206 <col width="16%"> 2207 <col width="10%"> 2208 <col width="27%"> 2209 <col width="16%"> 2210 <tr> 2211 <th>CVE</th> 2212 <th>References</th> 2213 <th>Severity</th> 2214 <th>Updated Nexus devices</th> 2215 <th>Date reported</th> 2216 </tr> 2217 <tr> 2218 <td>CVE-2016-3811</td> 2219 <td>A-28447556*</td> 2220 <td>Moderate</td> 2221 <td>Nexus 9</td> 2222 <td>Google internal</td> 2223 </tr> 2224 </table> 2225 <p>* The patch for this issue is not publicly available. The update is contained in 2226 the latest binary drivers for Nexus devices available from the 2227 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2228 2229 <h3 id="information-disclosure-vulnerability-in-mediatek-video-codec-driver"> 2230 Information disclosure vulnerability in MediaTek video codec driver</h3> 2231 <p>An information disclosure vulnerability in the MediaTek video codec driver could 2232 enable a local malicious application to access data outside of its permission 2233 levels. This issue is rated as Moderate because it first requires compromising a 2234 privileged process.</p> 2235 2236 <table> 2237 <col width="19%"> 2238 <col width="20%"> 2239 <col width="10%"> 2240 <col width="23%"> 2241 <col width="16%"> 2242 <tr> 2243 <th>CVE</th> 2244 <th>References</th> 2245 <th>Severity</th> 2246 <th>Updated Nexus devices</th> 2247 <th>Date reported</th> 2248 </tr> 2249 <tr> 2250 <td>CVE-2016-3812</td> 2251 <td>A-28174833*<br> 2252 M-ALPS02688832</td> 2253 <td>Moderate</td> 2254 <td>Android One</td> 2255 <td>Apr 11, 2016</td> 2256 </tr> 2257 </table> 2258 <p>* The patch for this issue is not publicly available. The update is contained in 2259 the latest binary drivers for Nexus devices available from the 2260 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2261 2262 <h3 id="information-disclosure-vulnerability-in-qualcomm-usb-driver"> 2263 Information disclosure vulnerability in Qualcomm USB driver</h3> 2264 <p>An information disclosure vulnerability in the Qualcomm USB driver could enable 2265 a local malicious application to access data outside of its permission levels. 2266 This issue is rated as Moderate because it first requires compromising a 2267 privileged process.</p> 2268 2269 <table> 2270 <col width="19%"> 2271 <col width="16%"> 2272 <col width="10%"> 2273 <col width="27%"> 2274 <col width="16%"> 2275 <tr> 2276 <th>CVE</th> 2277 <th>References</th> 2278 <th>Severity</th> 2279 <th>Updated Nexus devices</th> 2280 <th>Date reported</th> 2281 </tr> 2282 <tr> 2283 <td>CVE-2016-3813</td> 2284 <td>A-28172322* 2285 QC-CR1010222</td> 2286 <td>Moderate</td> 2287 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 2288 <td>Apr 11, 2016</td> 2289 </tr> 2290 </table> 2291 <p>* The patch for this issue is not publicly available. The update is contained in 2292 the latest binary drivers for Nexus devices available from the 2293 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2294 2295 <h3 id="information-disclosure-vulnerability-in-nvidia-camera-driver"> 2296 Information disclosure vulnerability in NVIDIA camera driver</h3> 2297 <p>An information disclosure vulnerability in the NVIDIA camera driver could enable 2298 a local malicious application to access data outside of its permission levels. 2299 This issue is rated as Moderate because it first requires compromising a 2300 privileged process.</p> 2301 2302 <table> 2303 <col width="19%"> 2304 <col width="20%"> 2305 <col width="10%"> 2306 <col width="23%"> 2307 <col width="16%"> 2308 <tr> 2309 <th>CVE</th> 2310 <th>References</th> 2311 <th>Severity</th> 2312 <th>Updated Nexus devices</th> 2313 <th>Date reported</th> 2314 </tr> 2315 <tr> 2316 <td>CVE-2016-3814</td> 2317 <td>A-28193342*<br> 2318 N-CVE20163814</td> 2319 <td>Moderate</td> 2320 <td>Nexus 9</td> 2321 <td>Apr 14, 2016</td> 2322 </tr> 2323 <tr> 2324 <td>CVE-2016-3815</td> 2325 <td>A-28522274*<br> 2326 N-CVE20163815</td> 2327 <td>Moderate</td> 2328 <td>Nexus 9</td> 2329 <td>May 1, 2016</td> 2330 </tr> 2331 </table> 2332 <p>* The patch for this issue is not publicly available. The update is contained in 2333 the latest binary drivers for Nexus devices available from the 2334 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2335 2336 <h3 id="information-disclosure-vulnerability-in-mediatek-display-driver"> 2337 Information disclosure vulnerability in MediaTek display driver</h3> 2338 <p>An information disclosure vulnerability in the MediaTek display driver could 2339 enable a local malicious application to access data outside of its permission 2340 levels. This issue is rated as Moderate because it first requires compromising a 2341 privileged process.</p> 2342 2343 <table> 2344 <col width="19%"> 2345 <col width="16%"> 2346 <col width="10%"> 2347 <col width="27%"> 2348 <col width="16%"> 2349 <tr> 2350 <th>CVE</th> 2351 <th>References</th> 2352 <th>Severity</th> 2353 <th>Updated Nexus devices</th> 2354 <th>Date reported</th> 2355 </tr> 2356 <tr> 2357 <td>CVE-2016-3816</td> 2358 <td>A-28402240*</td> 2359 <td>Moderate</td> 2360 <td>Android One</td> 2361 <td>Apr 26, 2016</td> 2362 </tr> 2363 </table> 2364 <p>* The patch for this issue is not publicly available. The update is contained in 2365 the latest binary drivers for Nexus devices available from the 2366 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2367 2368 <h3 id="information-disclosure-vulnerability-in-kernel-teletype-driver"> 2369 Information disclosure vulnerability in kernel teletype driver</h3> 2370 <p>An information disclosure vulnerability in the teletype driver could enable a 2371 local malicious application to access data outside of its permission levels. 2372 This issue is rated as Moderate because it first requires compromising a 2373 privileged process.</p> 2374 2375 <table> 2376 <col width="19%"> 2377 <col width="20%"> 2378 <col width="10%"> 2379 <col width="23%"> 2380 <col width="16%"> 2381 <tr> 2382 <th>CVE</th> 2383 <th>References</th> 2384 <th>Severity</th> 2385 <th>Updated Nexus devices</th> 2386 <th>Date reported</th> 2387 </tr> 2388 <tr> 2389 <td>CVE-2016-0723</td> 2390 <td>A-28409131<br> 2391 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5c17c861a357e9458001f021a7afa7aab9937439">Upstream 2392 kernel</a></td> 2393 <td>Moderate</td> 2394 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus 2395 Player, Pixel C</td> 2396 <td>Apr 26, 2016</td> 2397 </tr> 2398 </table> 2399 2400 <h3 id="denial-of-service-vulnerability-in-qualcomm-bootloader"> 2401 Denial of service vulnerability in Qualcomm bootloader</h3> 2402 <p>A denial of service vulnerability in the Qualcomm bootloader could enable a 2403 local malicious application to cause a local permanent device compromise, which 2404 may require reflashing the operating system to repair the device. This issue is 2405 rated as Moderate because it first requires compromising a privileged process.</p> 2406 2407 <table> 2408 <col width="19%"> 2409 <col width="16%"> 2410 <col width="10%"> 2411 <col width="27%"> 2412 <col width="16%"> 2413 <tr> 2414 <th>CVE</th> 2415 <th>References</th> 2416 <th>Severity</th> 2417 <th>Updated Nexus devices</th> 2418 <th>Date reported</th> 2419 </tr> 2420 <tr> 2421 <td>CVE-2014-9798</td> 2422 <td>A-28821448 2423 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=b05eed2491a098bf627ac485a5b43d2f4fae2484">QC-CR681965</a></td> 2424 <td>Moderate</td> 2425 <td>Nexus 5</td> 2426 <td>Oct 31, 2014</td> 2427 </tr> 2428 <tr> 2429 <td>CVE-2015-8893</td> 2430 <td>A-28822690 2431 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=800255e8bfcc31a02e89460460e3811f225e7a69">QC-CR822275</a></td> 2432 <td>Moderate</td> 2433 <td>Nexus 5, Nexus 7 (2013)</td> 2434 <td>Aug 19, 2015</td> 2435 </tr> 2436 </table> 2437 <h2 id="common-questions-and-answers">Common questions and answers</h2> 2438 <p>This section answers common questions that may occur after reading this 2439 bulletin.</p> 2440 2441 <p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 2442 <p>Security Patch Levels of 2016-07-01 or later address all issues associated with 2443 the 2016-7-01 security patch string level. Security Patch Levels of 2016-07-05 2444 or later address all issues associated with the 2016-07-05 security patch string 2445 level. Refer to the <a 2446 href="https://support.google.com/nexus/answer/4457705">help center</a> 2447 for instructions on how to check the security patch level. Device manufacturers 2448 that include these updates should set the patch string level to: 2449 [ro.build.version.security_patch]:[2016-07-01] or 2450 [ro.build.version.security_patch]:[2016-07-05].</p> 2451 2452 <p><strong>2. Why does this bulletin have two security patch level strings?</strong></p> 2453 <p>This bulletin has two security patch level strings in order to provide 2454 Android partners with the flexibility to move more quickly to fix a subset of 2455 vulnerabilities that are similar across all Android devices. Android partners 2456 are encouraged to fix all issues in this bulletin and use the latest security 2457 patch level string.</p> 2458 <p>Devices that use the security patch level of July 5, 2016 or newer must 2459 include all applicable patches in this (and previous) security bulletins.</p> 2460 <p>Devices that use the July 1, 2016 security patch level must include all 2461 issues associated with that security patch level, as well as fixes for all 2462 issues reported in previous security bulletins. Devices that use July 1, 2016 2463 security patch level may also include a subset of fixes associated with the 2464 July 5, 2016 security patch level.</p> 2465 2466 <p id="all_nexus"><strong>3. How do I determine which Nexus devices are affected 2467 by each issue?</strong></p> 2468 <p>In the <a href="#2016-07-01-details">2016-07-01</a> and 2469 <a href="#2016-07-05-details">2016-07-05</a> security vulnerability details sections, 2470 each table has an Updated Nexus devices column that covers the range of affected 2471 Nexus devices updated for each issue. This column has a few options:</p> 2472 <ul> 2473 <li><strong>All Nexus devices</strong>: If an issue affects all Nexus devices, 2474 the table will have All Nexus in the <em>Updated Nexus devices</em> column. 2475 All Nexus encapsulates the following 2476 <a href="https://support.google.com/nexus/answer/4457705#nexus_devices">supported 2477 devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, 2478 Android One, Nexus Player, and Pixel C.</li> 2479 <li><strong>Some Nexus devices</strong>: If an issue doesnt affect all Nexus 2480 devices, the affected Nexus devices are listed in the <em>Updated Nexus 2481 devices</em> column.</li> 2482 <li><strong>No Nexus devices</strong>: If no Nexus devices are affected by the 2483 issue, the table will have None in the <em>Updated Nexus devices</em> column.</li> 2484 </ul> 2485 2486 <p><strong>4. What do the entries in the references column map to?</strong></p> 2487 <p>Entries under the <em>References</em> column of the vulnerability details table may 2488 contain a prefix identifying the organization to which the reference value belongs. These prefixes 2489 map as follows:</p> 2490 2491 <table> 2492 <tr> 2493 <th>Prefix</th> 2494 <th>Reference</th> 2495 </tr> 2496 <tr> 2497 <td>A-</td> 2498 <td>Android bug ID</td> 2499 </tr> 2500 <tr> 2501 <td>QC-</td> 2502 <td>Qualcomm reference number</td> 2503 </tr> 2504 <tr> 2505 <td>M-</td> 2506 <td>MediaTek reference number</td> 2507 </tr> 2508 <tr> 2509 <td>N-</td> 2510 <td>NVIDIA reference number</td> 2511 </tr> 2512 </table> 2513 2514 <h2 id="revisions">Revisions</h2> 2515 <ul> 2516 <li>July 06, 2016: Bulletin published.</li> 2517 <li>July 07, 2016: 2518 <ul> 2519 <li>Added AOSP links. 2520 <li>Removed CVE-2016-3794 because it is a duplicate of CVE-2016-3814 2521 <li>Added attribution for CVE-2016-2501 and CVE-2016-2502 2522 </ul> 2523 </li> 2524 <li>July 11, 2016: Updated attribution for CVE-2016-3750</li> 2525 <li>July 14, 2016: Updated attribution for CVE-2016-2503</li> 2526 </ul> 2527 2528 </body> 2529 </html> 2530
