1 <html devsite> 2 <head> 3 <title>Android Security BulletinSeptember 2016</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published September 06, 2016 | Updated September 12, 2016</em> 27 </p> 28 29 <p> 30 The Android Security Bulletin contains details of security vulnerabilities 31 affecting Android devices. Alongside the bulletin, we have released a security 32 update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware 33 images have also been released to the 34 <a href="https://developers.google.com/android/nexus/images">Google Developer 35 site</a>. Security Patch Levels of September 06, 2016 or later address these 36 issues. Refer to the 37 <a href="https://support.google.com/nexus/answer/4457705#nexus_devices">documentation</a> 38 to learn how to check the security patch level. Supported Nexus devices will 39 receive a single OTA update with the September 06, 2016 security patch level. 40 </p> 41 42 <p> 43 Partners were notified about the issues described in the bulletin on August 05, 44 2016 or earlier. Where applicable, source code patches for these issues have 45 been released to the Android Open Source Project (AOSP) repository. This 46 bulletin also includes links to patches outside of AOSP. 47 </p> 48 49 <p> 50 The most severe of these issues is a Critical security vulnerability that could 51 enable remote code execution on an affected device through multiple methods such 52 as email, web browsing, and MMS when processing media files. The 53 <a href="/security/overview/updates-resources.html#severity">severity 54 assessment</a> is based on the effect that exploiting the vulnerability would 55 possibly have on an affected device, assuming the platform and service 56 mitigations are disabled for development purposes or if successfully bypassed. 57 </p> 58 59 <p> 60 We have had no reports of active customer exploitation or abuse of these newly 61 reported issues. Refer to the 62 <a href="#mitigations">Android and Google service mitigations</a> 63 section for details on the <a href="/security/enhancements/index.html">Android 64 security platform protections</a> and service protections such as SafetyNet, 65 which improve the security of the Android platform. 66 </p> 67 68 <p> 69 We encourage all customers to accept these updates to their devices. 70 </p> 71 72 <h2 id="announcements">Announcements</h2> 73 <ul> 74 <li>This bulletin has three security patch level strings to provide Android 75 partners with the flexibility to move more quickly to fix a subset of 76 vulnerabilities that are similar across all Android devices. See 77 <a href="#common-questions-and-answers">Common questions and answers</a> for 78 additional information: 79 <ul> 80 <li><strong>2016-09-01</strong>: Partial security patch level string. This 81 security patch level string indicates that all issues associated with 2016-09-01 82 (and all previous security patch level strings) are addressed.</li> 83 <li><strong>2016-09-05</strong>: Partial security patch level string. This 84 security patch level string indicates that all issues associated with 2016-09-01 85 and 2016-09-05 (and all previous security patch level strings) are addressed.</li> 86 <li><strong>2016-09-06</strong>: Complete security patch level string, which 87 addresses issues that were discovered after partners were notified of most 88 issues in this bulletin. This security patch level string indicates that all 89 issues associated with 2016-09-01, 2016-09-05, and 2016-09-06 (and all previous 90 security patch level strings) are addressed.</li> 91 </ul> 92 </li> 93 <li>Supported Nexus devices will receive a single OTA update with the September 94 06, 2016 security patch level.</li> 95 </ul> 96 <h2 id="mitigations">Android and Google service mitigations</h2> 97 <p> 98 This is a summary of the mitigations provided by the <a href="/security/enhancements/index.html">Android 99 security platform</a> and service protections such as SafetyNet. These 100 capabilities reduce the likelihood that security vulnerabilities could be 101 successfully exploited on Android. 102 </p> 103 <ul> 104 <li>Exploitation for many issues on Android is made more difficult by 105 enhancements in newer versions of the Android platform. We encourage all users 106 to update to the latest version of Android where possible.</li> 107 <li>The Android Security team actively monitors for abuse with 108 <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify 109 Apps and SafetyNet</a>, which are designed to warn users about 110 <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially 111 Harmful Applications</a>. Verify Apps is enabled by default on devices with 112 <a href="http://www.android.com/gms">Google Mobile Services</a>, and is especially 113 important for users who install applications from outside of Google Play. Device 114 rooting tools are prohibited within Google Play, but Verify Apps warns users 115 when they attempt to install a detected rooting applicationno matter where it 116 comes from. Additionally, Verify Apps attempts to identify and block 117 installation of known malicious applications that exploit a privilege escalation 118 vulnerability. If such an application has already been installed, Verify Apps 119 will notify the user and attempt to remove the detected application.</li> 120 <li>As appropriate, Google Hangouts and Messenger applications do not 121 automatically pass media to processes such as Mediaserver.</li> 122 </ul> 123 124 <h2 id="acknowledgements">Acknowledgements</h2> 125 <p> 126 We would like to thank these researchers for their contributions: 127 </p> 128 129 130 <ul> 131 <li>Cory Pruce of Carnegie Mellon University: CVE-2016-3897</li> 132 <li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>) 133 and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360 134 Technology Co. Ltd.: CVE-2016-3869, CVE-2016-3865, CVE-2016-3866, CVE-2016-3867</li> 135 <li>Hao Qin of Security Research Lab, <a href="http://www.cmcm.com">Cheetah 136 Mobile</a>: CVE-2016-3863</li> 137 <li>Jann Horn of Google Project Zero: CVE-2016-3885</li> 138 <li>Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) 139 and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360: CVE-2016-3858</li> 140 <li>Joshua Drake (<a href="https://twitter.com/jduck">@jduck</a>): CVE-2016-3861</li> 141 <li>Madhu Priya Murugan of CISPA, Saarland University: CVE-2016-3896</li> 142 <li>Makoto Onuki of Google: CVE-2016-3876</li> 143 <li>Mark Brand of Google Project Zero: CVE-2016-3861</li> 144 <li>Max Spector of Android Security: CVE-2016-3888</li> 145 <li>Max Spector and Quan To of Android Security: CVE-2016-3889</li> 146 <li>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), 147 Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), 148 and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3895</li> 149 <li>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>) of 150 Tesla Motors Product Security Team: Discovery of additional issues related to 151 CVE-2016-2446</li> 152 <li>Oleksiy Vyalov of Google: CVE-2016-3890</li> 153 <li>Oliver Chang of Google Chrome Security Team: CVE-2016-3880</li> 154 <li>Peng Xiao, Chengming Yang, Ning You, Chao Yang, and Yang song, of Alibaba 155 Mobile Security Group: CVE-2016-3859</li> 156 <li>Ronald L. Loor Vargas (<a href="https://twitter.com/loor_rlv">@loor_rlv</a>) 157 of TEAM Lv51: CVE-2016-3886</li> 158 <li>Sagi Kedmi, IBM Security X-Force Researcher: CVE-2016-3873</li> 159 <li><a href="mailto:sbauer (a] plzdonthack.me">Scott Bauer</a> 160 (<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): CVE-2016-3893, 161 CVE-2016-3868, CVE-2016-3867</li> 162 <li>Seven Shen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>) of 163 TrendMicro: CVE-2016-3894</li> 164 <li>Tim Strazzere (<a href="https://twitter.com/timstrazz">@timstrazz</a>) of 165 SentinelOne / RedNaga: CVE-2016-3862</li> 166 <li>trotmaster (<a href="https://twitter.com/trotmaster99">@trotmaster99</a>): 167 CVE-2016-3883</li> 168 <li>Victor Chang of Google: CVE-2016-3887</li> 169 <li>Vignesh Venkatasubramanian of Google: CVE-2016-3881</li> 170 <li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of 171 Alibaba Inc: CVE-2016-3878</li> 172 <li><a href="mailto:vancouverdou (a] gmail.com">Wenke Dou</a>, Mingjian Zhou 173 (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu 174 (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang 175 of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3870, CVE-2016-3871, 176 CVE-2016-3872</li> 177 <li>Wish Wu (<a href="http://weibo.com/wishlinux"></a>) 178 (<a href="https://twitter.com/wish_wu">@wish_wu</a>) of 179 <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/author/wishwu/">Trend 180 Micro Inc</a>.: CVE-2016-3892</li> 181 <li>Xingyu He () (<a href="https://twitter.com/Spid3r_">@Spid3r_</a>) 182 of <a href="http://www.alibaba.com/">Alibaba Inc</a>: CVE-2016-3879</li> 183 <li>Yacong Gu of TCA Lab, Institute of Software, Chinese Academy of Sciences: 184 CVE-2016-3884</li> 185 <li><a href="http://yurushao.info">Yuru Shao</a> of University of Michigan Ann 186 Arbor: CVE-2016-3898</li> 187 </ul> 188 189 <h2 id="2016-09-01-details">2016-09-01 security patch levelSecurity vulnerability details</h2> 190 <p> 191 In the sections below, we provide details for each of the security 192 vulnerabilities that apply to the 2016-09-01 patch level. 193 There is a description of the issue, a severity rationale, 194 and a table with the CVE, associated references, severity, updated Nexus 195 devices, updated AOSP versions (where applicable), and date reported. When 196 available, we will link the public change that addressed the issue to the bug 197 ID, like the AOSP change list. When multiple changes relate to a single bug, 198 additional references are linked to numbers following the bug ID. 199 </p> 200 201 <h3>Remote code execution vulnerability in LibUtils</h3> 202 <p> 203 A remote code execution vulnerability in LibUtils could enable an attacker using 204 a specially crafted file to execute arbitrary code in the context of a 205 privileged process. This issue is rated as Critical due to the possibility of 206 remote code execution in applications that use this library. 207 </p> 208 209 <table> 210 <col width="18%"> 211 <col width="16%"> 212 <col width="10%"> 213 <col width="19%"> 214 <col width="19%"> 215 <col width="17%"> 216 <tr> 217 <th>CVE</th> 218 <th>References</th> 219 <th>Severity</th> 220 <th>Updated Nexus devices</th> 221 <th>Updated AOSP versions</th> 222 <th>Date reported</th> 223 </tr> 224 <tr> 225 <td>CVE-2016-3861</td> 226 <td><a href="https://android.googlesource.com/platform/system/core/+/ecf5fd58a8f50362ce9e8d4245a33d56f29f142b"> 227 A-29250543</a> 228 [<a href="https://android.googlesource.com/platform/frameworks/av/+/3944c65637dfed14a5a895685edfa4bacaf9f76e">2</a>] 229 [<a href="https://android.googlesource.com/platform/frameworks/base/+/866dc26ad4a98cc835d075b627326e7d7e52ffa1">3</a>] 230 [<a href="https://android.googlesource.com/platform/frameworks/native/+/1f4b49e64adf4623eefda503bca61e253597b9bf">4</a>] 231 </td> 232 <td>Critical</td> 233 <td>All Nexus</td> 234 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 235 <td>Jun 9, 2016</td> 236 </tr> 237 </table> 238 <h3>Remote code execution vulnerability in Mediaserver</h3> 239 <p> 240 A remote code execution vulnerability in Mediaserver could enable an attacker 241 using a specially crafted file to cause memory corruption during media file and 242 data processing. This issue is rated as Critical due to the possibility of 243 remote code execution within the context of the Mediaserver process. 244 </p> 245 246 <table> 247 <col width="18%"> 248 <col width="18%"> 249 <col width="10%"> 250 <col width="19%"> 251 <col width="17%"> 252 <col width="17%"> 253 <tr> 254 <th>CVE</th> 255 <th>References</th> 256 <th>Severity</th> 257 <th>Updated Nexus devices</th> 258 <th>Updated AOSP versions</th> 259 <th>Date reported</th> 260 </tr> 261 <tr> 262 <td>CVE-2016-3862</td> 263 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e739d9ca5469ed30129d0fa228e3d0f2878671ac"> 264 A-29270469</a></td> 265 <td>Critical</td> 266 <td>All Nexus</td> 267 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 268 <td>Jun 10, 2016</td> 269 </tr> 270 </table> 271 <h3>Remote code execution vulnerability in MediaMuxer</h3> 272 <p> 273 A remote code execution vulnerability in MediaMuxer could enable an attacker 274 using a specially crafted file to execute arbitrary code in the context of an 275 unprivileged process. This issue is rated as High due to the possibility of 276 remote code execution in an application that uses MediaMuxer. 277 </p> 278 279 <table> 280 <col width="18%"> 281 <col width="16%"> 282 <col width="10%"> 283 <col width="19%"> 284 <col width="19%"> 285 <col width="17%"> 286 <tr> 287 <th>CVE</th> 288 <th>References</th> 289 <th>Severity</th> 290 <th>Updated Nexus devices</th> 291 <th>Updated AOSP versions</th> 292 <th>Date reported</th> 293 </tr> 294 <tr> 295 <td>CVE-2016-3863</td> 296 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/119a012b2a9a186655da4bef3ed4ed8dd9b94c26"> 297 A-29161888</a></td> 298 <td>High</td> 299 <td>All Nexus</td> 300 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 301 <td>Jun 6, 2016</td> 302 </tr> 303 </table> 304 <h3>Elevation of privilege vulnerability in Mediaserver</h3> 305 <p> 306 An elevation of privilege vulnerability in Mediaserver could enable a local 307 malicious application to execute arbitrary code within the context of a 308 privileged process. This issue is rated as High because it could be used to gain 309 local access to elevated capabilities, which are not normally accessible to a 310 third-party application. 311 </p> 312 313 <table> 314 <col width="18%"> 315 <col width="16%"> 316 <col width="10%"> 317 <col width="19%"> 318 <col width="19%"> 319 <col width="17%"> 320 <tr> 321 <th>CVE</th> 322 <th>References</th> 323 <th>Severity</th> 324 <th>Updated Nexus devices</th> 325 <th>Updated AOSP versions</th> 326 <th>Date reported</th> 327 </tr> 328 <tr> 329 <td>CVE-2016-3870</td> 330 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/1e9801783770917728b7edbdeff3d0ec09c621ac"> 331 A-29421804</a> 332 <td>High</td> 333 <td>All Nexus</td> 334 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 335 <td>Jun 15, 2016</td> 336 </tr> 337 <tr> 338 <td>CVE-2016-3871</td> 339 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c2639afac631f5c1ffddf70ee8a6fe943d0bedf9"> 340 A-29422022</a> 341 [<a href="https://android.googlesource.com/platform/frameworks/av/+/3c4edac2a5b00dec6c8579a0ee658cfb3bb16d94">2</a>] 342 [<a href="https://android.googlesource.com/platform/frameworks/av/+/c17ad2f0c7e00fd1bbf01d0dfed41f72d78267ad">3</a>] 343 </td> 344 <td>High</td> 345 <td>All Nexus</td> 346 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 347 <td>Jun 15, 2016</td> 348 </tr> 349 <tr> 350 <td>CVE-2016-3872</td> 351 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/630ed150f7201ddadb00b8b8ce0c55c4cc6e8742"> 352 A-29421675</a> 353 [<a href="https://android.googlesource.com/platform/frameworks/av/+/9f9ba255a0c59544f3555c9c45512c3a2fac5fad">2</a>] 354 </td> 355 <td>High</td> 356 <td>All Nexus</td> 357 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 358 <td>Jun 15, 2016</td> 359 </tr> 360 </table> 361 <h3>Elevation of privilege vulnerability in device boot</h3> 362 <p> 363 An elevation of privilege during the boot sequence could enable a local 364 malicious attacker to boot into safe mode even though it's disabled. This issue 365 is rated as High because it is a local bypass of user interaction requirements 366 for any developer or security settings modifications. 367 </p> 368 369 <table> 370 <col width="18%"> 371 <col width="18%"> 372 <col width="10%"> 373 <col width="19%"> 374 <col width="17%"> 375 <col width="17%"> 376 <tr> 377 <th>CVE</th> 378 <th>References</th> 379 <th>Severity</th> 380 <th>Updated Nexus devices</th> 381 <th>Updated AOSP versions</th> 382 <th>Date reported</th> 383 </tr> 384 <tr> 385 <td>CVE-2016-3875</td> 386 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/69729fa8b13cadbf3173fe1f389fe4f3b7bd0f9c"> 387 A-26251884</a></td> 388 <td>High</td> 389 <td>None*</td> 390 <td>6.0, 6.0.1</td> 391 <td>Google internal</td> 392 </tr> 393 </table> 394 <p> 395 * Supported Nexus devices on Android 7.0 that have installed all available 396 updates are not affected by this vulnerability. 397 </p> 398 399 <h3>Elevation of privilege vulnerability in Settings</h3> 400 <p> 401 An elevation of privilege in Settings could enable a local malicious attacker to 402 boot into safe mode even though it's disabled. This issue is rated as High 403 because it is a local bypass of user interaction requirements for any developer 404 or security settings modifications. 405 </p> 406 407 <table> 408 <col width="18%"> 409 <col width="18%"> 410 <col width="10%"> 411 <col width="19%"> 412 <col width="17%"> 413 <col width="17%"> 414 <tr> 415 <th>CVE</th> 416 <th>References</th> 417 <th>Severity</th> 418 <th>Updated Nexus devices</th> 419 <th>Updated AOSP versions</th> 420 <th>Date reported</th> 421 </tr> 422 <tr> 423 <td>CVE-2016-3876</td> 424 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/91fc934bb2e5ea59929bb2f574de6db9b5100745"> 425 A-29900345</a></td> 426 <td>High</td> 427 <td>All Nexus</td> 428 <td>6.0, 6.0.1, 7.0</td> 429 <td>Google internal</td> 430 </tr> 431 </table> 432 <h3>Denial of service vulnerability in Mediaserver</h3> 433 <p> 434 A denial of service vulnerability in Mediaserver could enable an attacker to use 435 a specially crafted file to cause a device hang or reboot. This issue is rated 436 as High due to the possibility of remote denial of service. 437 </p> 438 439 <table> 440 <col width="18%"> 441 <col width="16%"> 442 <col width="10%"> 443 <col width="19%"> 444 <col width="19%"> 445 <col width="17%"> 446 <tr> 447 <th>CVE</th> 448 <th>References</th> 449 <th>Severity</th> 450 <th>Updated Nexus devices</th> 451 <th>Updated AOSP versions</th> 452 <th>Date reported</th> 453 </tr> 454 <tr> 455 <td>CVE-2016-3899</td> 456 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/97837bb6cbac21ea679843a0037779d3834bed64"> 457 A-29421811</a></td> 458 <td>High</td> 459 <td>All Nexus</td> 460 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 461 <td>Jun 16, 2016</td> 462 </tr> 463 <tr> 464 <td>CVE-2016-3878</td> 465 <td><a href="https://android.googlesource.com/platform/external/libavc/+/7109ce3f8f90a28ca9f0ee6e14f6ac5e414c62cf"> 466 A-29493002</a></td> 467 <td>High</td> 468 <td>All Nexus*</td> 469 <td>6.0, 6.0.1</td> 470 <td>Jun 17, 2016</td> 471 </tr> 472 <tr> 473 <td>CVE-2016-3879</td> 474 <td><a href="https://android.googlesource.com/platform/external/sonivox/+/cadfb7a3c96d4fef06656cf37143e1b3e62cae86"> 475 A-29770686</a></td> 476 <td>High</td> 477 <td>All Nexus*</td> 478 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 479 <td>Jun 25, 2016</td> 480 </tr> 481 <tr> 482 <td>CVE-2016-3880</td> 483 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/68f67ef6cf1f41e77337be3bc4bff91f3a3c6324"> 484 A-25747670</a></td> 485 <td>High</td> 486 <td>All Nexus</td> 487 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 488 <td>Google internal</td> 489 </tr> 490 <tr> 491 <td>CVE-2016-3881</td> 492 <td><a href="https://android.googlesource.com/platform/external/libvpx/+/4974dcbd0289a2530df2ee2a25b5f92775df80da"> 493 A-30013856</a></td> 494 <td>High</td> 495 <td>All Nexus</td> 496 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 497 <td>Google internal</td> 498 </tr> 499 </table> 500 <p> 501 * Supported Nexus devices on Android 7.0 that have installed all available 502 updates are not affected by this vulnerability. 503 </p> 504 505 <h3>Elevation of privilege vulnerability in Telephony</h3> 506 <p> 507 An elevation of privilege vulnerability in the Telephony component could enable 508 a local malicious application to send unauthorized premium SMS messages. This 509 issue is rated as Moderate because it could be used to gain elevated 510 capabilities without explicit user permission. 511 </p> 512 513 <table> 514 <col width="18%"> 515 <col width="16%"> 516 <col width="10%"> 517 <col width="19%"> 518 <col width="19%"> 519 <col width="17%"> 520 <tr> 521 <th>CVE</th> 522 <th>References</th> 523 <th>Severity</th> 524 <th>Updated Nexus devices</th> 525 <th>Updated AOSP versions</th> 526 <th>Date reported</th> 527 </tr> 528 <tr> 529 <td>CVE-2016-3883</td> 530 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b2c89e6f8962dc7aff88cb38aa3ee67d751edda9"> 531 A-28557603</a></td> 532 <td>Moderate</td> 533 <td>All Nexus</td> 534 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 535 <td>May 3, 2016</td> 536 </tr> 537 </table> 538 <h3>Elevation of privilege vulnerability in Notification Manager Service</h3> 539 <p> 540 An elevation of privilege vulnerability in the Notification Manager Service 541 could enable a local malicious application to bypass operating system 542 protections that isolate application data from other applications. This issue is 543 rated as Moderate because it is a local bypass of user interaction requirements, 544 such as access to functionality that would normally require either user 545 initiation or user permission. 546 </p> 547 548 <table> 549 <col width="18%"> 550 <col width="18%"> 551 <col width="10%"> 552 <col width="19%"> 553 <col width="17%"> 554 <col width="17%"> 555 <tr> 556 <th>CVE</th> 557 <th>References</th> 558 <th>Severity</th> 559 <th>Updated Nexus devices</th> 560 <th>Updated AOSP versions</th> 561 <th>Date reported</th> 562 </tr> 563 <tr> 564 <td>CVE-2016-3884</td> 565 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/61e9103b5725965568e46657f4781dd8f2e5b623"> 566 A-29421441</a></td> 567 <td>Moderate</td> 568 <td>All Nexus</td> 569 <td>6.0, 6.0.1, 7.0</td> 570 <td>Jun 15, 2016</td> 571 </tr> 572 </table> 573 <h3>Elevation of privilege vulnerability in Debuggerd</h3> 574 <p> 575 An elevation of privilege vulnerability in the integrated Android debugger could 576 enable a local malicious application to execute arbitrary code within the 577 context of the Android debugger. This issue is rated as Moderate severity due to 578 the possibility of local arbitrary code execution in a privileged process. 579 </p> 580 581 <table> 582 <col width="18%"> 583 <col width="18%"> 584 <col width="10%"> 585 <col width="19%"> 586 <col width="17%"> 587 <col width="17%"> 588 <tr> 589 <th>CVE</th> 590 <th>References</th> 591 <th>Severity</th> 592 <th>Updated Nexus devices</th> 593 <th>Updated AOSP versions</th> 594 <th>Date reported</th> 595 </tr> 596 <tr> 597 <td>CVE-2016-3885</td> 598 <td><a href="https://android.googlesource.com/platform/system/core/+/d7603583f90c2bc6074a4ee2886bd28082d7c65b"> 599 A-29555636</a></td> 600 <td>Moderate</td> 601 <td>All Nexus</td> 602 <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 603 <td>Jun 21, 2016</td> 604 </tr> 605 </table> 606 <h3>Elevation of privilege vulnerability in System UI Tuner</h3> 607 <p> 608 An elevation of privilege in the System UI Tuner could enable a local malicious 609 user to modify protected settings when a device is locked. This issue is rated 610 as Moderate because it is a local bypass of user permissions. 611 </p> 612 613 <table> 614 <col width="18%"> 615 <col width="18%"> 616 <col width="10%"> 617 <col width="19%"> 618 <col width="17%"> 619 <col width="17%"> 620 <tr> 621 <th>CVE</th> 622 <th>References</th> 623 <th>Severity</th> 624 <th>Updated Nexus devices</th> 625 <th>Updated AOSP versions</th> 626 <th>Date reported</th> 627 </tr> 628 <tr> 629 <td>CVE-2016-3886</td> 630 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/6ca6cd5a50311d58a1b7bf8fbef3f9aa29eadcd5"> 631 A-30107438</a></td> 632 <td>Moderate</td> 633 <td>All Nexus</td> 634 <td>7.0</td> 635 <td>Jun 23, 2016</td> 636 </tr> 637 </table> 638 <h3>Elevation of privilege vulnerability in Settings</h3> 639 <p> 640 An elevation of privilege vulnerability in Settings could enable a local 641 malicious application to bypass operating system protections for VPN settings. 642 This issue is rated as Moderate because it could be used to gain access to data 643 that is outside of the applications permission levels. 644 </p> 645 646 <table> 647 <col width="18%"> 648 <col width="17%"> 649 <col width="10%"> 650 <col width="19%"> 651 <col width="17%"> 652 <col width="18%"> 653 <tr> 654 <th>CVE</th> 655 <th>References</th> 656 <th>Severity</th> 657 <th>Updated Nexus devices</th> 658 <th>Updated AOSP versions</th> 659 <th>Date reported</th> 660 </tr> 661 <tr> 662 <td>CVE-2016-3887</td> 663 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/335702d106797bce8a88044783fa1fc1d5f751d0"> 664 A-29899712</a></td> 665 <td>Moderate</td> 666 <td>All Nexus</td> 667 <td>7.0</td> 668 <td>Google internal</td> 669 </tr> 670 </table> 671 <h3>Elevation of privilege vulnerability in SMS</h3> 672 <p> 673 An elevation of privilege vulnerability in SMS could enable a local attacker to 674 send premium SMS messages prior to the device being provisioned. This is rated 675 as Moderate due to the possibility of bypassing Factory Reset Protection, which 676 should prevent the device from being used before it is set up. 677 </p> 678 679 <table> 680 <col width="18%"> 681 <col width="16%"> 682 <col width="10%"> 683 <col width="19%"> 684 <col width="19%"> 685 <col width="17%"> 686 <tr> 687 <th>CVE</th> 688 <th>References</th> 689 <th>Severity</th> 690 <th>Updated Nexus devices</th> 691 <th>Updated AOSP versions</th> 692 <th>Date reported</th> 693 </tr> 694 <tr> 695 <td>CVE-2016-3888</td> 696 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b8d1aee993dcc565e6576b2f2439a8f5a507cff6"> 697 A-29420123</a></td> 698 <td>Moderate</td> 699 <td>All Nexus</td> 700 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 701 <td>Google internal</td> 702 </tr> 703 </table> 704 <h3>Elevation of privilege vulnerability in Settings</h3> 705 <p> 706 An elevation of privilege vulnerability in Settings could enable a local 707 attacker to bypass the Factory Reset Protection and gain access to the device. 708 This is rated as Moderate due to the possibility of bypassing Factory Reset 709 Protection, which could lead to successfully resetting the device and erasing 710 all its data. 711 </p> 712 713 <table> 714 <col width="18%"> 715 <col width="17%"> 716 <col width="10%"> 717 <col width="19%"> 718 <col width="17%"> 719 <col width="18%"> 720 <tr> 721 <th>CVE</th> 722 <th>References</th> 723 <th>Severity</th> 724 <th>Updated Nexus devices</th> 725 <th>Updated AOSP versions</th> 726 <th>Date reported</th> 727 </tr> 728 <tr> 729 <td>CVE-2016-3889</td> 730 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e206f02d46ae5e38c74d138b51f6e1637e261abe"> 731 A-29194585</a> 732 [<a href="https://android.googlesource.com/platform/packages/apps/Settings/+/bd5d5176c74021e8cf4970f93f273ba3023c3d72">2</a>] 733 </td> 734 <td>Moderate</td> 735 <td>All Nexus</td> 736 <td>6.0, 6.0.1, 7.0</td> 737 <td>Google internal</td> 738 </tr> 739 </table> 740 <h3>Elevation of privilege vulnerability in Java Debug Wire Protocol</h3> 741 <p> 742 An elevation of privilege vulnerability in the Java Debug Wire Protocol could 743 enable a local malicious application to execute arbitrary code within the 744 context of an elevated system application. This issue is rated as Moderate 745 because it requires an uncommon device configuration. 746 </p> 747 748 <table> 749 <col width="18%"> 750 <col width="16%"> 751 <col width="10%"> 752 <col width="19%"> 753 <col width="18%"> 754 <col width="18%"> 755 <tr> 756 <th>CVE</th> 757 <th>References</th> 758 <th>Severity</th> 759 <th>Updated Nexus devices</th> 760 <th>Updated AOSP versions</th> 761 <th>Date reported</th> 762 </tr> 763 <tr> 764 <td>CVE-2016-3890</td> 765 <td><a href="https://android.googlesource.com/platform/system/core/+/268068f25673242d1d5130d96202d3288c91b700"> 766 A-28347842</a> 767 [<a href="https://android.googlesource.com/platform/system/core/+/014b01706cc64dc9c2ad94a96f62e07c058d0b5d">2</a>] 768 </td> 769 <td>Moderate</td> 770 <td>None*</td> 771 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 772 <td>Google internal</td> 773 </tr> 774 </table> 775 <p> 776 * Supported Nexus devices on Android 7.0 that have installed all available 777 updates are not affected by this vulnerability. 778 </p> 779 780 <h3>Information disclosure vulnerability in Mediaserver</h3> 781 <p> 782 An information disclosure vulnerability in Mediaserver could enable a local 783 malicious application to access data outside of its permission levels. This 784 issue is rated as Moderate because it could be used to access sensitive data 785 without permission. 786 </p> 787 788 <table> 789 <col width="18%"> 790 <col width="18%"> 791 <col width="10%"> 792 <col width="19%"> 793 <col width="17%"> 794 <col width="17%"> 795 <tr> 796 <th>CVE</th> 797 <th>References</th> 798 <th>Severity</th> 799 <th>Updated Nexus devices</th> 800 <th>Updated AOSP versions</th> 801 <th>Date reported</th> 802 </tr> 803 <tr> 804 <td>CVE-2016-3895</td> 805 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/363247929c35104b3e5ee9e637e9dcf579080aee"> 806 A-29983260</a></td> 807 <td>Moderate</td> 808 <td>All Nexus</td> 809 <td>6.0, 6.0.1, 7.0</td> 810 <td>Jul 4, 2016</td> 811 </tr> 812 </table> 813 <h3>Information disclosure vulnerability in AOSP Mail</h3> 814 <p> 815 An information disclosure vulnerability in AOSP Mail could enable a local 816 malicious application to gain access to users private information. This issue 817 is rated as Moderate because it could be used to improperly access data without 818 permission. 819 </p> 820 821 <table> 822 <col width="18%"> 823 <col width="16%"> 824 <col width="10%"> 825 <col width="19%"> 826 <col width="19%"> 827 <col width="17%"> 828 <tr> 829 <th>CVE</th> 830 <th>References</th> 831 <th>Severity</th> 832 <th>Updated Nexus devices</th> 833 <th>Updated AOSP versions</th> 834 <th>Date reported</th> 835 </tr> 836 <tr> 837 <td>CVE-2016-3896</td> 838 <td><a href="https://android.googlesource.com/platform/packages/apps/Email/+/cb2dfe43f25cb0c32cc73aa4569c0a5186a4ef43"> 839 A-29767043</a></td> 840 <td>Moderate</td> 841 <td>None*</td> 842 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 843 <td>Jul 24, 2016</td> 844 </tr> 845 </table> 846 <p> 847 * Supported Nexus devices on Android 7.0 that have installed all available 848 updates are not affected by this vulnerability. 849 </p> 850 851 <h3>Information disclosure vulnerability in Wi-Fi</h3> 852 <p> 853 An information disclosure vulnerability in the Wi-Fi configuration could allow 854 an application to access sensitive information. This issue is rated as Moderate 855 because it could be used to access data without permission. 856 </p> 857 858 <table> 859 <col width="18%"> 860 <col width="16%"> 861 <col width="10%"> 862 <col width="19%"> 863 <col width="19%"> 864 <col width="17%"> 865 <tr> 866 <th>CVE</th> 867 <th>References</th> 868 <th>Severity</th> 869 <th>Updated Nexus devices</th> 870 <th>Updated AOSP versions</th> 871 <th>Date reported</th> 872 </tr> 873 <tr> 874 <td>CVE-2016-3897</td> 875 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/55271d454881b67ff38485fdd97598c542cc2d55"> 876 A-25624963</a> 877 [<a href="https://android.googlesource.com/platform/frameworks/base/+/81be4e3aac55305cbb5c9d523cf5c96c66604b39">2</a>] 878 </td> 879 <td>Moderate</td> 880 <td>None*</td> 881 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 882 <td>Nov 5, 2015</td> 883 </tr> 884 </table> 885 <p> 886 * Supported Nexus devices on Android 7.0 that have installed all available 887 updates are not affected by this vulnerability. 888 </p> 889 890 <h3>Denial of service vulnerability in Telephony</h3> 891 <p> 892 A denial of service vulnerability in the Telephony component could enable a 893 local malicious application to prevent 911 TTY calls from a locked screen. This 894 issue is rated as Moderate due to the possibility of a denial of service on a 895 critical function. 896 </p> 897 898 <table> 899 <col width="18%"> 900 <col width="18%"> 901 <col width="10%"> 902 <col width="19%"> 903 <col width="17%"> 904 <col width="17%"> 905 <tr> 906 <th>CVE</th> 907 <th>References</th> 908 <th>Severity</th> 909 <th>Updated Nexus devices</th> 910 <th>Updated AOSP versions</th> 911 <th>Date reported</th> 912 </tr> 913 <tr> 914 <td>CVE-2016-3898</td> 915 <td><a href="https://android.googlesource.com/platform/packages/services/Telephony/+/d1d248d10cf03498efb7041f1a8c9c467482a19d"> 916 A-29832693</a></td> 917 <td>Moderate</td> 918 <td>All Nexus</td> 919 <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 920 <td>Jun 28, 2016</td> 921 </tr> 922 </table> 923 <h2 id="2016-09-05-details">2016-09-05 security patch levelVulnerability details</h2> 924 <p> 925 In the sections below, we provide details for each of the security 926 vulnerabilities that apply to the 2016-09-05 patch level. 927 There is a description of the issue, a severity rationale, 928 and a table with the CVE, associated references, severity, updated Nexus 929 devices, updated AOSP versions (where applicable), and date reported. When 930 available, we will link the public change that addressed the issue to the bug 931 ID, like the AOSP change list. When multiple changes relate to a single bug, 932 additional references are linked to numbers following the bug ID. 933 </p> 934 935 <h3>Elevation of privilege vulnerability in kernel security subsystem</h3> 936 <p> 937 An elevation of privilege vulnerability in the kernel security subsystem could 938 enable a local malicious application to execute arbitrary code within the 939 context of the kernel. This issue is rated as Critical due to the possibility of 940 a local permanent device compromise, which may require reflashing the operating 941 system to repair the device. 942 </p> 943 944 <table> 945 <col width="19%"> 946 <col width="20%"> 947 <col width="10%"> 948 <col width="23%"> 949 <col width="17%"> 950 <tr> 951 <th>CVE</th> 952 <th>References</th> 953 <th>Severity</th> 954 <th>Updated Nexus devices</th> 955 <th>Date reported</th> 956 </tr> 957 <tr> 958 <td>CVE-2014-9529</td> 959 <td>A-29510361 960 <p> 961 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a3a8784454692dd72e5d5d34dcdab17b4420e74c">Upstream 962 kernel</a></p></td> 963 <td>Critical</td> 964 <td>Nexus 5, Nexus 6, Nexus 9, Nexus Player, Android One</td> 965 <td>Jan 6, 2015</td> 966 </tr> 967 <tr> 968 <td>CVE-2016-4470</td> 969 <td>A-29823941 970 <p> 971 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229a">Upstream 972 kernel</a></p></td> 973 <td>Critical</td> 974 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player</td> 975 <td>June 15, 2016</td> 976 </tr> 977 </table> 978 <h3>Elevation of privilege vulnerability in kernel networking subsystem</h3> 979 <p> 980 An elevation of privilege vulnerability in the kernel networking subsystem could 981 enable a local malicious application to execute arbitrary code within the 982 context of the kernel. This issue is rated as Critical due to the possibility of 983 a local permanent device compromise, which may require reflashing the operating 984 system to repair the device. 985 </p> 986 987 <table> 988 <col width="19%"> 989 <col width="20%"> 990 <col width="10%"> 991 <col width="23%"> 992 <col width="17%"> 993 <tr> 994 <th>CVE</th> 995 <th>References</th> 996 <th>Severity</th> 997 <th>Updated Nexus devices</th> 998 <th>Date reported</th> 999 </tr> 1000 <tr> 1001 <td>CVE-2013-7446</td> 1002 <td>A-29119002 1003 <p> 1004 <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c">Upstream 1005 kernel</a></p></td> 1006 <td>Critical</td> 1007 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, 1008 Android One</td> 1009 <td>Nov 18, 2015</td> 1010 </tr> 1011 </table> 1012 <h3>Elevation of privilege vulnerability in kernel netfilter subsystem</h3> 1013 <p> 1014 An elevation of privilege vulnerability in the kernel netfilter subsystem could 1015 enable a local malicious application to execute arbitrary code within the 1016 context of the kernel. This issue is rated as Critical due to the possibility of 1017 a local permanent device compromise, which may require reflashing the operating 1018 system to repair the device. 1019 </p> 1020 1021 <table> 1022 <col width="19%"> 1023 <col width="20%"> 1024 <col width="10%"> 1025 <col width="23%"> 1026 <col width="17%"> 1027 <tr> 1028 <th>CVE</th> 1029 <th>References</th> 1030 <th>Severity</th> 1031 <th>Updated Nexus devices</th> 1032 <th>Date reported</th> 1033 </tr> 1034 <tr> 1035 <td>CVE-2016-3134</td> 1036 <td>A-28940694 1037 <p> 1038 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d83fc74aa9ec72794373cb47432c5f7fb1a309">Upstream 1039 kernel</a></p></td> 1040 <td>Critical</td> 1041 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, 1042 Android One</td> 1043 <td>Mar 9, 2016</td> 1044 </tr> 1045 </table> 1046 <h3>Elevation of privilege vulnerability in kernel USB driver</h3> 1047 <p> 1048 An elevation of privilege vulnerability in the kernel USB driver could enable a 1049 local malicious application to execute arbitrary code within the context of the 1050 kernel. This issue is rated as Critical due to the possibility of a local 1051 permanent device compromise, which may require reflashing the operating system 1052 to repair the device. 1053 </p> 1054 1055 <table> 1056 <col width="19%"> 1057 <col width="20%"> 1058 <col width="10%"> 1059 <col width="23%"> 1060 <col width="17%"> 1061 <tr> 1062 <th>CVE</th> 1063 <th>References</th> 1064 <th>Severity</th> 1065 <th>Updated Nexus devices</th> 1066 <th>Date reported</th> 1067 </tr> 1068 <tr> 1069 <td>CVE-2016-3951</td> 1070 <td>A-28744625 1071 <p> 1072 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d06dd537f95683aba3651098ae288b7cbff8274">Upstream kernel</a> 1073 [<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1666984c8625b3db19a9abc298931d35ab7bc64b">2</a>]</p></td> 1074 <td>Critical</td> 1075 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, 1076 Android One</td> 1077 <td>Apr 6, 2016</td> 1078 </tr> 1079 </table> 1080 <h3>Elevation of privilege vulnerability in kernel sound subsystem</h3> 1081 <p> 1082 An elevation of privilege vulnerability in the kernel sound subsystem could 1083 enable a local malicious application to execute arbitrary code within the 1084 context of the kernel. This issue is rated as High because it first requires 1085 compromising a privileged process. 1086 </p> 1087 1088 <table> 1089 <col width="19%"> 1090 <col width="20%"> 1091 <col width="10%"> 1092 <col width="23%"> 1093 <col width="17%"> 1094 <tr> 1095 <th>CVE</th> 1096 <th>References</th> 1097 <th>Severity</th> 1098 <th>Updated Nexus devices</th> 1099 <th>Date reported</th> 1100 </tr> 1101 <tr> 1102 <td>CVE-2014-4655</td> 1103 <td>A-29916012 1104 <p> 1105 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=82262a46627bebb0febcc26664746c25cef08563">Upstream 1106 kernel</a></p></td> 1107 <td>High</td> 1108 <td>Nexus 5, Nexus 6, Nexus 9, Nexus Player</td> 1109 <td>Jun 26, 2014</td> 1110 </tr> 1111 </table> 1112 <h3>Elevation of privilege vulnerability in kernel ASN.1 decoder</h3> 1113 <p> 1114 An elevation of privilege vulnerability in the kernel ASN.1 decoder could enable 1115 a local malicious application to execute arbitrary code within the context of 1116 the kernel. This issue is rated as High because it first requires compromising a 1117 privileged process. 1118 </p> 1119 1120 <table> 1121 <col width="19%"> 1122 <col width="20%"> 1123 <col width="10%"> 1124 <col width="23%"> 1125 <col width="17%"> 1126 <tr> 1127 <th>CVE</th> 1128 <th>References</th> 1129 <th>Severity</th> 1130 <th>Updated Nexus devices</th> 1131 <th>Date reported</th> 1132 </tr> 1133 <tr> 1134 <td>CVE-2016-2053</td> 1135 <td>A-28751627 1136 <p> 1137 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f">Upstream 1138 kernel</a></p></td> 1139 <td>High</td> 1140 <td>Nexus 5X, Nexus 6P</td> 1141 <td>Jan 25, 2016</td> 1142 </tr> 1143 </table> 1144 <h3>Elevation of privilege vulnerability in Qualcomm radio interface layer</h3> 1145 <p> 1146 An elevation of privilege vulnerability in the Qualcomm radio interface layer 1147 could enable a local malicious application to execute arbitrary code within the 1148 context of the kernel. This issue is rated as High because it first requires 1149 compromising a privileged process. 1150 </p> 1151 1152 <table> 1153 <col width="19%"> 1154 <col width="18%"> 1155 <col width="10%"> 1156 <col width="25%"> 1157 <col width="17%"> 1158 <tr> 1159 <th>CVE</th> 1160 <th>References</th> 1161 <th>Severity</th> 1162 <th>Updated Nexus devices</th> 1163 <th>Date reported</th> 1164 </tr> 1165 <tr> 1166 <td>CVE-2016-3864</td> 1167 <td>A-28823714*<br> 1168 QC-CR#913117</td> 1169 <td>High</td> 1170 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1171 <td>Apr 29, 2016</td> 1172 </tr> 1173 </table> 1174 <p> 1175 * The patch for this issue is not publicly available. The update is contained in 1176 the latest binary drivers for Nexus devices available from the 1177 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1178 site</a>. 1179 </p> 1180 1181 <h3>Elevation of privilege vulnerability in Qualcomm subsystem driver</h3> 1182 <p> 1183 An elevation of privilege vulnerability in the Qualcomm subsystem driver could 1184 enable a local malicious application to execute arbitrary code within the 1185 context of the kernel. This issue is rated as High because it first requires 1186 compromising a privileged process. 1187 </p> 1188 1189 <table> 1190 <col width="19%"> 1191 <col width="20%"> 1192 <col width="10%"> 1193 <col width="23%"> 1194 <col width="17%"> 1195 <tr> 1196 <th>CVE</th> 1197 <th>References</th> 1198 <th>Severity</th> 1199 <th>Updated Nexus devices</th> 1200 <th>Date reported</th> 1201 </tr> 1202 <tr> 1203 <td>CVE-2016-3858</td> 1204 <td>A-28675151<br> 1205 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0c148b9a9028c566eac680f19e5d664b483cdee3">QC-CR#1022641</a></td> 1206 <td>High</td> 1207 <td>Nexus 5X, Nexus 6P</td> 1208 <td>May 9, 2016</td> 1209 </tr> 1210 </table> 1211 <h3>Elevation of privilege vulnerability in kernel networking driver</h3> 1212 <p> 1213 An elevation of privilege vulnerability in the kernel networking driver could 1214 enable a local malicious application to execute arbitrary code within the 1215 context of the kernel. This issue is rated as High because it first requires 1216 compromising a privileged process. 1217 </p> 1218 1219 <table> 1220 <col width="19%"> 1221 <col width="20%"> 1222 <col width="10%"> 1223 <col width="23%"> 1224 <col width="17%"> 1225 <tr> 1226 <th>CVE</th> 1227 <th>References</th> 1228 <th>Severity</th> 1229 <th>Updated Nexus devices</th> 1230 <th>Date reported</th> 1231 </tr> 1232 <tr> 1233 <td>CVE-2016-4805</td> 1234 <td>A-28979703 1235 <p> 1236 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1f461dcdd296eecedaffffc6bae2bfa90bd7eb89">Upstream 1237 kernel</a></p></td> 1238 <td>High</td> 1239 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9</td> 1240 <td>May 15, 2016</td> 1241 </tr> 1242 </table> 1243 <h3>Elevation of privilege vulnerability in Synaptics touchscreen driver</h3> 1244 <p> 1245 An elevation of privilege vulnerability in the Synaptics touchscreen driver 1246 could enable a local malicious application to execute arbitrary code within the 1247 context of the kernel. This issue is rated as High because it first requires 1248 compromising a privileged process. 1249 </p> 1250 1251 <table> 1252 <col width="19%"> 1253 <col width="20%"> 1254 <col width="10%"> 1255 <col width="23%"> 1256 <col width="17%"> 1257 <tr> 1258 <th>CVE</th> 1259 <th>References</th> 1260 <th>Severity</th> 1261 <th>Updated Nexus devices</th> 1262 <th>Date reported</th> 1263 </tr> 1264 <tr> 1265 <td>CVE-2016-3865</td> 1266 <td>A-28799389*</td> 1267 <td>High</td> 1268 <td>Nexus 5X, Nexus 9</td> 1269 <td>May 16, 2016</td> 1270 </tr> 1271 </table> 1272 <p> 1273 * The patch for this issue is not publicly available. The update is contained in 1274 the latest binary drivers for Nexus devices available from the 1275 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1276 site</a>. 1277 </p> 1278 1279 <h3>Elevation of privilege vulnerability in Qualcomm camera driver</h3> 1280 <p> 1281 An elevation of privilege vulnerability in the Qualcomm camera driver could 1282 enable a local malicious application to execute arbitrary code within the 1283 context of the kernel. This issue is rated as High because it first requires 1284 compromising a privileged process. 1285 </p> 1286 1287 <table> 1288 <col width="19%"> 1289 <col width="20%"> 1290 <col width="10%"> 1291 <col width="23%"> 1292 <col width="17%"> 1293 <tr> 1294 <th>CVE</th> 1295 <th>References</th> 1296 <th>Severity</th> 1297 <th>Updated Nexus devices</th> 1298 <th>Date reported</th> 1299 </tr> 1300 <tr> 1301 <td>CVE-2016-3859</td> 1302 <td>A-28815326*<br> 1303 QC-CR#1034641</td> 1304 <td>High</td> 1305 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 1306 <td>May 17, 2016</td> 1307 </tr> 1308 </table> 1309 <p> 1310 * The patch for this issue is not publicly available. The update is contained in 1311 the latest binary drivers for Nexus devices available from the 1312 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1313 site</a>. 1314 </p> 1315 1316 <h3>Elevation of privilege vulnerability in Qualcomm sound driver</h3> 1317 <p> 1318 An elevation of privilege vulnerability in the Qualcomm sound driver could 1319 enable a local malicious application to execute arbitrary code within the 1320 context of the kernel. This issue is rated as High because it first requires 1321 compromising a privileged process. 1322 </p> 1323 1324 <table> 1325 <col width="19%"> 1326 <col width="20%"> 1327 <col width="10%"> 1328 <col width="23%"> 1329 <col width="17%"> 1330 <tr> 1331 <th>CVE</th> 1332 <th>References</th> 1333 <th>Severity</th> 1334 <th>Updated Nexus devices</th> 1335 <th>Date reported</th> 1336 </tr> 1337 <tr> 1338 <td>CVE-2016-3866</td> 1339 <td>A-28868303*<br> 1340 QC-CR#1032820</td> 1341 <td>High</td> 1342 <td>Nexus 5X, Nexus 6, Nexus 6P</td> 1343 <td>May 18, 2016</td> 1344 </tr> 1345 </table> 1346 <p> 1347 * The patch for this issue is not publicly available. The update is contained in 1348 the latest binary drivers for Nexus devices available from the 1349 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1350 site</a>. 1351 </p> 1352 1353 <h3>Elevation of privilege vulnerability in Qualcomm IPA driver</h3> 1354 <p> 1355 An elevation of privilege vulnerability in the Qualcomm IPA driver could enable 1356 a local malicious application to execute arbitrary code within the context of 1357 the kernel. This issue is rated as High because it first requires compromising a 1358 privileged process. 1359 </p> 1360 1361 <table> 1362 <col width="19%"> 1363 <col width="20%"> 1364 <col width="10%"> 1365 <col width="23%"> 1366 <col width="17%"> 1367 <tr> 1368 <th>CVE</th> 1369 <th>References</th> 1370 <th>Severity</th> 1371 <th>Updated Nexus devices</th> 1372 <th>Date reported</th> 1373 </tr> 1374 <tr> 1375 <td>CVE-2016-3867</td> 1376 <td>A-28919863*<br> 1377 QC-CR#1037897</td> 1378 <td>High</td> 1379 <td>Nexus 5X, Nexus 6P</td> 1380 <td>May 21, 2016</td> 1381 </tr> 1382 </table> 1383 <p> 1384 * The patch for this issue is not publicly available. The update is contained in 1385 the latest binary drivers for Nexus devices available from the 1386 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1387 site</a>. 1388 </p> 1389 1390 <h3>Elevation of privilege vulnerability in Qualcomm power driver</h3> 1391 <p> 1392 An elevation of privilege vulnerability in the Qualcomm power driver could 1393 enable a local malicious application to execute arbitrary code within the 1394 context of the kernel. This issue is rated as High because it first requires 1395 compromising a privileged process. 1396 </p> 1397 1398 <table> 1399 <col width="19%"> 1400 <col width="20%"> 1401 <col width="10%"> 1402 <col width="23%"> 1403 <col width="17%"> 1404 <tr> 1405 <th>CVE</th> 1406 <th>References</th> 1407 <th>Severity</th> 1408 <th>Updated Nexus devices</th> 1409 <th>Date reported</th> 1410 </tr> 1411 <tr> 1412 <td>CVE-2016-3868</td> 1413 <td>A-28967028*<br> 1414 QC-CR#1032875</td> 1415 <td>High</td> 1416 <td>Nexus 5X, Nexus 6P</td> 1417 <td>May 25, 2016</td> 1418 </tr> 1419 </table> 1420 <p> 1421 * The patch for this issue is not publicly available. The update is contained in 1422 the latest binary drivers for Nexus devices available from the 1423 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1424 site</a>. 1425 </p> 1426 1427 <h3>Elevation of privilege vulnerability in Broadcom Wi-Fi driver</h3> 1428 <p> 1429 An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could 1430 enable a local malicious application to execute arbitrary code within the 1431 context of the kernel. This issue is rated as High because it first requires 1432 compromising a privileged process. 1433 </p> 1434 1435 <table> 1436 <col width="19%"> 1437 <col width="20%"> 1438 <col width="10%"> 1439 <col width="23%"> 1440 <col width="17%"> 1441 <tr> 1442 <th>CVE</th> 1443 <th>References</th> 1444 <th>Severity</th> 1445 <th>Updated Nexus devices</th> 1446 <th>Date reported</th> 1447 </tr> 1448 <tr> 1449 <td>CVE-2016-3869</td> 1450 <td>A-29009982*<br> 1451 B-RB#96070</td> 1452 <td>High</td> 1453 <td>Nexus 5, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C</td> 1454 <td>May 27, 2016</td> 1455 </tr> 1456 </table> 1457 <p> 1458 * The patch for this issue is not publicly available. The update is contained in 1459 the latest binary drivers for Nexus devices available from the 1460 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1461 site</a>. 1462 </p> 1463 1464 <h3>Elevation of privilege vulnerability in kernel eCryptfs filesystem</h3> 1465 <p> 1466 An elevation of privilege vulnerability in the kernel eCryptfs filesystem could 1467 enable a local malicious application to execute arbitrary code within the 1468 context of the kernel. This issue is rated as High because it first requires 1469 compromising a privileged process. 1470 </p> 1471 1472 <table> 1473 <col width="17%"> 1474 <col width="22%"> 1475 <col width="10%"> 1476 <col width="23%"> 1477 <col width="17%"> 1478 <tr> 1479 <th>CVE</th> 1480 <th>References</th> 1481 <th>Severity</th> 1482 <th>Updated Nexus devices</th> 1483 <th>Date reported</th> 1484 </tr> 1485 <tr> 1486 <td>CVE-2016-1583</td> 1487 <td>A-29444228<br> 1488 <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9">Upstream kernel</a> 1489 [<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87">2</a>] 1490 [<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29d6455178a09e1dc340380c582b13356227e8df">3</a>]</td> 1491 <td>High</td> 1492 <td>Pixel C</td> 1493 <td>Jun 1, 2016</td> 1494 </tr> 1495 </table> 1496 <h3>Elevation of privilege vulnerability in NVIDIA kernel</h3> 1497 <p> 1498 An elevation of privilege vulnerability in the NVIDIA kernel could enable a 1499 local malicious application to execute arbitrary code within the context of the 1500 kernel. This issue is rated as High severity because it first requires 1501 compromising a privileged process. 1502 </p> 1503 1504 <table> 1505 <col width="19%"> 1506 <col width="20%"> 1507 <col width="10%"> 1508 <col width="23%"> 1509 <col width="17%"> 1510 <tr> 1511 <th>CVE</th> 1512 <th>References</th> 1513 <th>Severity</th> 1514 <th>Updated Nexus devices</th> 1515 <th>Date reported</th> 1516 </tr> 1517 <tr> 1518 <td>CVE-2016-3873</td> 1519 <td>A-29518457*<br> 1520 N-CVE-2016-3873</td> 1521 <td>High</td> 1522 <td>Nexus 9</td> 1523 <td>Jun 20, 2016</td> 1524 </tr> 1525 </table> 1526 <p> 1527 * The patch for this issue is not publicly available. The update is contained in 1528 the latest binary drivers for Nexus devices available from the 1529 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1530 site</a>. 1531 </p> 1532 1533 <h3>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</h3> 1534 <p> 1535 An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could 1536 enable a local malicious application to execute arbitrary code within the 1537 context of the kernel. This issue is rated as High because it first requires 1538 compromising a privileged process. 1539 </p> 1540 1541 <table> 1542 <col width="19%"> 1543 <col width="20%"> 1544 <col width="10%"> 1545 <col width="23%"> 1546 <col width="17%"> 1547 <tr> 1548 <th>CVE</th> 1549 <th>References</th> 1550 <th>Severity</th> 1551 <th>Updated Nexus devices</th> 1552 <th>Date reported</th> 1553 </tr> 1554 <tr> 1555 <td>CVE-2016-3874</td> 1556 <td>A-29944562<br> 1557 <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=50e8f265b3f7926aeb4e49c33f7301ace89faa77">QC-CR#997797</a> 1558 [<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a3974e61c960aadcc147c3c5704a67309171642d">2</a>]</td> 1559 <td>High</td> 1560 <td>Nexus 5X</td> 1561 <td>Jul 1, 2016</td> 1562 </tr> 1563 </table> 1564 <h3>Denial of service vulnerability in kernel networking subsystem</h3> 1565 <p> 1566 A denial of service vulnerability in the kernel networking subsystem could 1567 enable an attacker to cause a device hang or reboot. This issue is rated as High 1568 due to the possibility of a temporary remote denial of service. 1569 </p> 1570 1571 <table> 1572 <col width="19%"> 1573 <col width="18%"> 1574 <col width="10%"> 1575 <col width="25%"> 1576 <col width="17%"> 1577 <tr> 1578 <th>CVE</th> 1579 <th>References</th> 1580 <th>Severity</th> 1581 <th>Updated Nexus devices</th> 1582 <th>Date reported</th> 1583 </tr> 1584 <tr> 1585 <td>CVE-2015-1465</td> 1586 <td>A-29506807 1587 <p> 1588 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0">Upstream 1589 kernel</a></p></td> 1590 <td>High</td> 1591 <td>Nexus 5, Nexus 6, Nexus 9, Nexus Player, Pixel C, Android One</td> 1592 <td>Feb 3, 2015</td> 1593 </tr> 1594 <tr> 1595 <td>CVE-2015-5364</td> 1596 <td>A-29507402 1597 <p> 1598 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0">Upstream 1599 kernel</a></p></td> 1600 <td>High</td> 1601 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, 1602 Android One</td> 1603 <td>Jun 30, 2015</td> 1604 </tr> 1605 </table> 1606 <h3>Denial of service vulnerability in kernel ext4 file system</h3> 1607 <p> 1608 A denial of service vulnerability in the kernel ext4 file system could enable an 1609 attacker to cause a local permanent denial of service, which may require 1610 reflashing the operating system to repair the device. This issue is rated as 1611 High due to the possibility of local permanent denial of service. 1612 </p> 1613 1614 <table> 1615 <col width="19%"> 1616 <col width="16%"> 1617 <col width="10%"> 1618 <col width="27%"> 1619 <col width="17%"> 1620 <tr> 1621 <th>CVE</th> 1622 <th>References</th> 1623 <th>Severity</th> 1624 <th>Updated Nexus devices</th> 1625 <th>Date reported</th> 1626 </tr> 1627 <tr> 1628 <td>CVE-2015-8839</td> 1629 <td>A-28760453*</td> 1630 <td>High</td> 1631 <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, Android One</td> 1632 <td>Apr 4, 2016</td> 1633 </tr> 1634 </table> 1635 <p> 1636 * The patch for this issue is not publicly available. The update is contained in 1637 the latest binary drivers for Nexus devices available from the 1638 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1639 site</a>. 1640 </p> 1641 1642 <h3>Information disclosure vulnerability in Qualcomm SPMI driver</h3> 1643 <p> 1644 An information disclosure vulnerability in the Qualcomm SPMI driver could enable 1645 a local malicious application to access data outside of its permission levels. 1646 This issue is rated as Moderate because it first requires compromising a 1647 privileged process. 1648 </p> 1649 1650 <table> 1651 <col width="19%"> 1652 <col width="20%"> 1653 <col width="10%"> 1654 <col width="23%"> 1655 <col width="17%"> 1656 <tr> 1657 <th>CVE</th> 1658 <th>References</th> 1659 <th>Severity</th> 1660 <th>Updated Nexus devices</th> 1661 <th>Date reported</th> 1662 </tr> 1663 <tr> 1664 <td>CVE-2016-3892</td> 1665 <td>A-28760543*<br> 1666 QC-CR#1024197</td> 1667 <td>Moderate</td> 1668 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 1669 <td>May 13, 2016</td> 1670 </tr> 1671 </table> 1672 <p> 1673 * The patch for this issue is not publicly available. The update is contained in 1674 the latest binary drivers for Nexus devices available from the 1675 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1676 site</a>. 1677 </p> 1678 1679 <h3>Information disclosure vulnerability in Qualcomm sound codec</h3> 1680 <p> 1681 An information disclosure vulnerability in the Qualcomm sound codec could enable 1682 a local malicious application to access data outside of its permission levels. 1683 This issue is rated as Moderate because it first requires compromising a 1684 privileged process. 1685 </p> 1686 1687 <table> 1688 <col width="19%"> 1689 <col width="20%"> 1690 <col width="10%"> 1691 <col width="23%"> 1692 <col width="17%"> 1693 <tr> 1694 <th>CVE</th> 1695 <th>References</th> 1696 <th>Severity</th> 1697 <th>Updated Nexus devices</th> 1698 <th>Date reported</th> 1699 </tr> 1700 <tr> 1701 <td>CVE-2016-3893</td> 1702 <td>A-29512527<br> 1703 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=a7a6ddc91cce7ad5ad55c9709b24bfc80f5ac873">QC-CR#856400</a></td> 1704 <td>Moderate</td> 1705 <td>Nexus 6P</td> 1706 <td>Jun 20, 2016</td> 1707 </tr> 1708 </table> 1709 <h3>Information disclosure vulnerability in Qualcomm DMA component</h3> 1710 <p> 1711 An information disclosure vulnerability in the Qualcomm DMA component could 1712 enable a local malicious application to access data outside of its permission 1713 levels. This issue is rated as Moderate because it first requires compromising a 1714 privileged process. 1715 </p> 1716 1717 <table> 1718 <col width="19%"> 1719 <col width="20%"> 1720 <col width="10%"> 1721 <col width="23%"> 1722 <col width="17%"> 1723 <tr> 1724 <th>CVE</th> 1725 <th>References</th> 1726 <th>Severity</th> 1727 <th>Updated Nexus devices</th> 1728 <th>Date reported</th> 1729 </tr> 1730 <tr> 1731 <td>CVE-2016-3894</td> 1732 <td>A-29618014*<br> 1733 QC-CR#1042033</td> 1734 <td>Moderate</td> 1735 <td>Nexus 6</td> 1736 <td>Jun 23, 2016</td> 1737 </tr> 1738 </table> 1739 <p> 1740 * The patch for this issue is not publicly available. The update is contained in 1741 the latest binary drivers for Nexus devices available from the 1742 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1743 site</a>. 1744 </p> 1745 1746 <h3>Information disclosure vulnerability in kernel networking subsystem</h3> 1747 <p> 1748 An information disclosure vulnerability in the kernel networking subsystem could 1749 enable a local malicious application to access data outside of its permission 1750 levels. This issue is rated as Moderate because it first requires compromising a 1751 privileged process. 1752 </p> 1753 1754 <table> 1755 <col width="19%"> 1756 <col width="20%"> 1757 <col width="10%"> 1758 <col width="23%"> 1759 <col width="17%"> 1760 <tr> 1761 <th>CVE</th> 1762 <th>References</th> 1763 <th>Severity</th> 1764 <th>Updated Nexus devices</th> 1765 <th>Date reported</th> 1766 </tr> 1767 <tr> 1768 <td>CVE-2016-4998</td> 1769 <td>A-29637687<br> 1770 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968e9686df777dc178486f600c6e617">Upstream kernel</a> 1771 [<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91">2</a>]</td> 1772 <td>Moderate</td> 1773 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, 1774 Android One</td> 1775 <td>Jun 24, 2016</td> 1776 </tr> 1777 </table> 1778 <h3>Denial of service vulnerability in kernel networking subsystem</h3> 1779 <p> 1780 A denial of service vulnerability in the kernel networking subsystem could 1781 enable an attacker to block access to Wi-Fi capabilities.This issue is rated as 1782 Moderate due to the possibility of a temporary remote denial of service of the 1783 Wi-Fi capabilities. 1784 </p> 1785 1786 <table> 1787 <col width="19%"> 1788 <col width="20%"> 1789 <col width="10%"> 1790 <col width="23%"> 1791 <col width="17%"> 1792 <tr> 1793 <th>CVE</th> 1794 <th>References</th> 1795 <th>Severity</th> 1796 <th>Updated Nexus devices</th> 1797 <th>Date reported</th> 1798 </tr> 1799 <tr> 1800 <td>CVE-2015-2922</td> 1801 <td>A-29409847 1802 <p> 1803 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a">Upstream 1804 kernel</a></p></td> 1805 <td>Moderate</td> 1806 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, 1807 Android One</td> 1808 <td>Apr 4, 2015</td> 1809 </tr> 1810 </table> 1811 <h3>Vulnerabilities in Qualcomm components</h3> 1812 <p> 1813 The table below contains security vulnerabilities affecting Qualcomm components, 1814 potentially including the bootloader, camera driver, character driver, 1815 networking, sound driver, and video driver. 1816 </p> 1817 1818 <table> 1819 <col width="19%"> 1820 <col width="20%"> 1821 <col width="10%"> 1822 <col width="23%"> 1823 <col width="17%"> 1824 <tr> 1825 <th>CVE</th> 1826 <th>References</th> 1827 <th>Severity</th> 1828 <th>Updated Nexus devices</th> 1829 <th>Date reported</th> 1830 </tr> 1831 <tr> 1832 <td>CVE-2016-2469</td> 1833 <td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e">QC-CR#997025</a></td> 1834 <td>High</td> 1835 <td>None</td> 1836 <td>Jun 2016</td> 1837 </tr> 1838 <tr> 1839 <td>CVE-2016-2469</td> 1840 <td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=e7369163162e7773bc887f7a264d6aa46cfcc665">QC-CR#997015</a></td> 1841 <td>Moderate</td> 1842 <td>None</td> 1843 <td>Jun 2016</td> 1844 </tr> 1845 </table> 1846 <h2 id="2016-09-06-details">2016-09-06 security patch levelVulnerability details</h2> 1847 <p> 1848 In the sections below, we provide details for each of the security 1849 vulnerabilities that apply to the 2016-09-06 patch level. 1850 There is a description of the issue, a severity rationale, 1851 and a table with the CVE, associated references, severity, updated Nexus 1852 devices, updated AOSP versions (where applicable), and date reported. When 1853 available, we will link the public change that addressed the issue to the bug 1854 ID, like the AOSP change list. When multiple changes relate to a single bug, 1855 additional references are linked to numbers following the bug ID. 1856 </p> 1857 1858 <h3>Elevation of privilege vulnerability in kernel shared memory subsystem</h3> 1859 <p> 1860 An elevation of privilege vulnerability in the kernel shared memory subsystem 1861 could enable a local malicious application to execute arbitrary code within the 1862 context of the kernel. This issue is rated as Critical due to the possibility of 1863 a local permanent device compromise, which may require reflashing the operating 1864 system to repair the device. 1865 </p> 1866 1867 <table> 1868 <col width="19%"> 1869 <col width="20%"> 1870 <col width="10%"> 1871 <col width="23%"> 1872 <col width="17%"> 1873 <tr> 1874 <th>CVE</th> 1875 <th>References</th> 1876 <th>Severity</th> 1877 <th>Updated Nexus devices</th> 1878 <th>Date reported</th> 1879 </tr> 1880 <tr> 1881 <td>CVE-2016-5340</td> 1882 <td>A-30652312<br> 1883 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6">QC-CR#1008948</a></td> 1884 <td>Critical</td> 1885 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1886 <td>Jul 26, 2016</td> 1887 </tr> 1888 </table> 1889 <h3>Elevation of privilege vulnerability in Qualcomm networking component</h3> 1890 <p> 1891 An elevation of privilege vulnerability in the Qualcomm networking component 1892 could enable a local malicious application to execute arbitrary code within the 1893 context of the kernel. This issue is rated as High because it first requires 1894 compromising a privileged process. 1895 </p> 1896 1897 <table> 1898 <col width="19%"> 1899 <col width="20%"> 1900 <col width="10%"> 1901 <col width="23%"> 1902 <col width="17%"> 1903 <tr> 1904 <th>CVE</th> 1905 <th>References</th> 1906 <th>Severity</th> 1907 <th>Updated Nexus devices</th> 1908 <th>Date reported</th> 1909 </tr> 1910 <tr> 1911 <td>CVE-2016-2059</td> 1912 <td>A-27045580<br> 1913 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9e8bdd63f7011dff5523ea435433834b3702398d">QC-CR#974577</a></td> 1914 <td>High</td> 1915 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1916 <td>Feb 4, 2016</td> 1917 </tr> 1918 </table> 1919 <h2 id="common-questions-and-answers">Common Questions and Answers</h2> 1920 <p> 1921 This section answers common questions that may occur after reading this 1922 bulletin. 1923 </p> 1924 1925 <p> 1926 <strong>1. How do I determine if my device is updated to address these issues? 1927 </strong> 1928 </p> 1929 1930 <p> 1931 Security Patch Levels of 2016-09-01 or later address all issues associated with 1932 the 2016-09-01 security patch string level. Security Patch Levels of 2016-09-05 1933 or later address all issues associated with the 2016-09-05 security patch string 1934 level. Security Patch Levels of 2016-09-06 or later address all issues 1935 associated with the 2016-09-06 security patch string level. Refer to the 1936 <a href="https://support.google.com/nexus/answer/4457705">help center</a> for 1937 instructions on how to check the security patch level. Device manufacturers that 1938 include these updates should set the patch string level to: 1939 [ro.build.version.security_patch]:[2016-09-01], 1940 [ro.build.version.security_patch]:[2016-09-05], or 1941 [ro.build.version.security_patch]:[2016-09-06]. 1942 </p> 1943 1944 <p> 1945 <strong>2. Why does this bulletin have three security patch level 1946 strings?</strong> 1947 </p> 1948 1949 <p> 1950 This bulletin has three security patch level strings so that Android partners 1951 have the flexibility to fix a subset of vulnerabilities that are similar across 1952 all Android devices more quickly. Android partners are encouraged to fix all 1953 issues in this bulletin and use the latest security patch level string. 1954 </p> 1955 1956 <p> 1957 Devices that use the September 6, 2016 security patch level or newer must 1958 include all applicable patches in this (and previous) security bulletins. This 1959 patch level was created to addresses issues that were discovered after partners 1960 were first notified of most issues in this bulletin. 1961 </p> 1962 1963 <p> 1964 Devices that use September 5, 2016 security patch level must include all issues 1965 associated with that security patch level, the September 1, 2016 security patch 1966 level and fixes for all issues reported in previous security bulletins. Devices 1967 that use the September 5, 2016 security patch level may also include a subset of 1968 fixes associated with the September 6, 2016 security patch level. 1969 </p> 1970 1971 <p> 1972 Devices that use September 1, 2016 security patch level must include all issues 1973 associated with that security patch level as well as fixes for all issues 1974 reported in previous security bulletins. Devices that use the September 1, 2016 1975 security patch level may also include a subset of fixes associated with the 1976 September 5, 2016 and September 6, 2016 security patch levels. 1977 </p> 1978 1979 <p> 1980 3<strong>. How do I determine which Nexus devices are affected by each 1981 issue?</strong> 1982 </p> 1983 1984 <p> 1985 In the 1986 <a href="#2016-09-01-details">2016-09-01</a>, 1987 <a href="#2016-09-05-details">2016-09-05</a>, and 1988 <a href="#2016-09-06-details">2016-09-06</a> security vulnerability details 1989 sections, each table has an <em>Updated Nexus devices</em> column that covers 1990 the range of affected Nexus devices updated for each issue. This column has a 1991 few options: 1992 </p> 1993 1994 <ul> 1995 <li><strong>All Nexus devices</strong>: If an issue affects all Nexus devices, 1996 the table will have All Nexus in the <em>Updated Nexus devices</em> column. 1997 All Nexus encapsulates the following 1998 <a href="https://support.google.com/nexus/answer/4457705#nexus_devices">supported 1999 devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, 2000 Android One, Nexus Player, and Pixel C.</li> 2001 <li><strong>Some Nexus devices</strong>: If an issue doesnt affect all Nexus 2002 devices, the affected Nexus devices are listed in the <em>Updated Nexus 2003 devices</em> column.</li> 2004 <li><strong>No Nexus devices</strong>: If no Nexus devices running Android 7.0 2005 are affected by the issue, the table will have None in the <em>Updated Nexus 2006 devices</em> column.</li> 2007 </ul> 2008 <p> 2009 <strong>4. What do the entries in the references column map to?</strong> 2010 </p> 2011 2012 <p> 2013 Entries under the <em>References</em> column of the vulnerability details table 2014 may contain a prefix identifying the organization to which the reference value 2015 belongs. These prefixes map as follows: 2016 </p> 2017 2018 <table> 2019 <tr> 2020 <th>Prefix</th> 2021 <th>Reference</th> 2022 </tr> 2023 <tr> 2024 <td>A-</td> 2025 <td>Android bug ID</td> 2026 </tr> 2027 <tr> 2028 <td>QC-</td> 2029 <td>Qualcomm reference number</td> 2030 </tr> 2031 <tr> 2032 <td>M-</td> 2033 <td>MediaTek reference number</td> 2034 </tr> 2035 <tr> 2036 <td>N-</td> 2037 <td>NVIDIA reference number</td> 2038 </tr> 2039 <tr> 2040 <td>B-</td> 2041 <td>Broadcom reference number</td> 2042 </tr> 2043 </table> 2044 2045 <h2 id="revisions">Revisions</h2> 2046 <ul> 2047 <li>September 06, 2016: Bulletin published.</li> 2048 <li>September 07, 2016: Bulletin revised to include AOSP links.</li> 2049 <li>September 12, 2016: Bulletin revised to update attribution for 2050 CVE-2016-3861 and remove CVE-2016-3877.</li> 2051 </ul> 2052 2053 </body> 2054 </html> 2055
