1 <html devsite> 2 <head> 3 <title>Android Security BulletinOctober 2016</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 <p><em>Published October 03, 2016 | Updated October 04, 2016</em> 26 </p> 27 <p> 28 The Android Security Bulletin contains details of security vulnerabilities 29 affecting Android devices. Alongside the bulletin, we have released a security 30 update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware 31 images have also been released to the 32 <a href="https://developers.google.com/android/nexus/images">Google Developer 33 site</a>. Security Patch Levels of October 05, 2016 or later address these 34 issues. Refer to the 35 <a href="https://support.google.com/nexus/answer/4457705#nexus_devices">documentation</a> 36 to learn how to check the security patch level. Supported Nexus devices will 37 receive a single OTA update with the October 05, 2016 security patch level. 38 </p> 39 <p> 40 Partners were notified about the issues described in the bulletin on September 41 06, 2016 or earlier. Where applicable, source code patches for these issues 42 have been released to the Android Open Source Project (AOSP) repository. This 43 bulletin also includes links to patches outside of AOSP. 44 </p> 45 <p> 46 The most severe of these issues are Critical security vulnerabilities in 47 device-specific code that could enable remote code execution within the context 48 of the kernel, leading to the possibility of a local permanent device 49 compromise, which may require reflashing the operating system to repair the 50 device. The <a href="/security/overview/updates-resources.html#severity">severity 51 assessment</a> is based on the effect that exploiting the vulnerability would 52 possibly have on an affected device, assuming the platform and service 53 mitigations are disabled for development purposes or if successfully bypassed. 54 </p> 55 <p> 56 We have had no reports of active customer exploitation or abuse of these newly 57 reported issues. Refer to the <a href="#mitigations">Android and Google service 58 mitigations</a> section for details on the 59 <a href="/security/enhancements/index.html">Android 60 security platform protections</a> and service protections such as 61 <a href="https://developer.android.com/training/safetynet/index.html">SafetyNet</a>, 62 which improve the security of the Android platform. 63 </p> 64 <p> 65 We encourage all customers to accept these updates to their devices. 66 </p> 67 <h2 id="announcements">Announcements</h2> 68 <ul> 69 <li>This bulletin has two security patch level strings to provide Android 70 partners with the flexibility to more quickly fix a subset of vulnerabilities 71 that are similar across all Android devices. See 72 <a href="#common-questions-and-answers">Common questions and answers</a> for 73 additional information: 74 <ul> 75 <li><strong>2016-10-01</strong>: Partial security patch level string. This 76 security patch level string indicates that all issues associated with 2016-10-01 77 (and all previous security patch level strings) are addressed.</li> 78 <li><strong>2016-10-05</strong>: Complete security patch level string. This 79 security patch level string indicates that all issues associated with 2016-10-01 80 and 2016-10-05 (and all previous security patch level strings) are addressed.</li> 81 </ul> 82 </li> 83 <li>Supported Nexus devices will receive a single OTA update with the October 84 05, 2016 security patch level.</li> 85 </ul> 86 87 <h2 id="mitigations">Android and Google service mitigations</h2> 88 <p> 89 This is a summary of the mitigations provided by the 90 <a href="/security/enhancements/index.html">Android 91 security platform</a> and service protections such as SafetyNet. These 92 capabilities reduce the likelihood that security vulnerabilities could be 93 successfully exploited on Android. 94 </p> 95 <ul> 96 <li>Exploitation for many issues on Android is made more difficult by 97 enhancements in newer versions of the Android platform. We encourage all users 98 to update to the latest version of Android where possible.</li> 99 <li>The Android Security team actively monitors for abuse with <a 100 href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify 101 Apps and SafetyNet</a>, which are designed to warn users about <a 102 href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially 103 Harmful Applications</a>. Verify Apps is enabled by default on devices with <a 104 href="http://www.android.com/gms">Google Mobile Services</a>, and is especially 105 important for users who install applications from outside of Google Play. Device 106 rooting tools are prohibited within Google Play, but Verify Apps warns users 107 when they attempt to install a detected rooting applicationno matter where it 108 comes from. Additionally, Verify Apps attempts to identify and block 109 installation of known malicious applications that exploit a privilege escalation 110 vulnerability. If such an application has already been installed, Verify Apps 111 will notify the user and attempt to remove the detected application.</li> 112 <li>As appropriate, Google Hangouts and Messenger applications do not 113 automatically pass media to processes such as Mediaserver.</li> 114 </ul> 115 <h2 id="acknowledgements">Acknowledgements</h2> 116 <p> 117 We would like to thank these researchers for their contributions: 118 </p> 119 <ul> 120 <li>Andre Teixeira Rizzo: CVE-2016-3882</li> 121 <li>Andrea Biondo: CVE-2016-3921</li> 122 <li>Daniel Micay of Copperhead Security: CVE-2016-3922</li> 123 <li><a href="https://github.com/google/syzkaller">Dmitry Vyukov</a> of Google: 124 CVE-2016-7117</li> 125 <li>dosomder: CVE-2016-3931</li> 126 <li>Ecular Xu () of Trend Micro: CVE-2016-3920</li> 127 <li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>) 128 and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360 129 Technology Co. Ltd.: CVE-2016-6690, CVE-2016-3901, CVE-2016-6672, CVE-2016-3940, 130 CVE-2016-3935</li> 131 <li><a href="mailto:hzhan033 (a] ucr.edu">Hang Zhang</a>, 132 <a href="mailto:dshe002 (a] ucr.edu">Dongdong She</a>, and 133 <a href="mailto:zhiyunq (a] cs.ucr.edu">Zhiyun Qian</a> of UC Riverside: CVE-2015-8950</li> 134 <li>Hao Chen of Alpha Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-3860</li> 135 <li>Jann Horn of Google Project Zero: CVE-2016-3900, CVE-2016-3885</li> 136 <li><a href="http://keybase.io/jasonrogena">Jason Rogena</a>: CVE-2016-3917</li> 137 <li>Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) and 138 <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360: CVE-2016-6688, 139 CVE-2016-6677, CVE-2016-6673, CVE-2016-6687, CVE-2016-6686, CVE-2016-6681, 140 CVE-2016-6682, CVE-2016-3930</li> 141 <li>Joshua Drake (<a href="https://twitter.com/jduck">@jduck</a>): 142 CVE-2016-3920</li> 143 <li>Maciej Szawowski of Google security team: CVE-2016-3905</li> 144 <li>Mark Brand of Google Project Zero: CVE-2016-6689</li> 145 <li><a href="https://github.com/michalbednarski">Micha Bednarski</a>: 146 CVE-2016-3914, CVE-2016-6674, CVE-2016-3911, CVE-2016-3912</li> 147 <li>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), 148 Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian 149 Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3933, CVE-2016-3932</li> 150 <li>Nightwatch Cybersecurity Research 151 (<a href="https://twitter.com/nightwatchcyber">@nightwatchcyber</a>): CVE-2016-5348</li> 152 <li>Roee Hay, IBM Security X-Force Researcher: CVE-2016-6678</li> 153 <li>Samuel Tan of Google: CVE-2016-3925</li> 154 <li><a href="mailto:sbauer (a] plzdonthack.me">Scott Bauer</a> 155 (<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): 156 CVE-2016-3936, CVE-2016-3928, CVE-2016-3902, CVE-2016-3937, CVE-2016-6696</li> 157 <li>Seven Shen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>) of 158 Trend Micro Mobile Threat Research Team: CVE-2016-6685, CVE-2016-6683, 159 CVE-2016-6680, CVE-2016-6679, CVE-2016-3903, CVE-2016-6693, CVE-2016-6694, 160 CVE-2016-6695</li> 161 <li><a href="mailto:vancouverdou (a] gmail.com">Wenke Dou</a>, Mingjian Zhou 162 (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu 163 (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of 164 <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3909</li> 165 <li>Wenlin Yang and Guang Gong () (<a href="https://twitter.com/oldfresher">@oldfresher</a>) 166 of Alpha Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-3918</li> 167 <li>Wish Wu (<a href="http://weibo.com/wishlinux"></a>) 168 (<a href="https://twitter.com/wish_wu">@wish_wu)</a> of 169 <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/author/wishwu/">Trend 170 Micro Inc.</a>: CVE-2016-3924, CVE-2016-3915, CVE-2016-3916, CVE-2016-3910</li> 171 <li>Yong Shi of Eagleye team, SCC, Huawei: CVE-2016-3938</li> 172 <li>Zhanpeng Zhao () (<a href="https://twitter.com/0xr0ot">@0xr0ot</a>) of 173 Security Research Lab, <a href="http://www.cmcm.com">Cheetah Mobile</a>: 174 CVE-2016-3908</li> 175 </ul> 176 177 <h2 id="2016-10-01-details">2016-10-01 178 security patch levelVulnerability details</h2> 179 <p> 180 In the sections below, we provide details for each of the security 181 vulnerabilities that apply to the 2016-10-01 patch level. There is a description of 182 the issue, a severity rationale, and a table with the CVE, associated 183 references, severity, updated Nexus devices, updated AOSP versions (where 184 applicable), and date reported. When available, we will link the public change 185 that addressed the issue to the bug ID, like the AOSP change list. When multiple 186 changes relate to a single bug, additional references are linked to numbers 187 following the bug ID. 188 </p> 189 <h3 id="eopv-in-servicemanager">Elevation of privilege vulnerability in ServiceManager</h3> 190 <p> 191 An elevation of privilege in ServiceManager could enable a local malicious 192 application to register arbitrary services that would normally be provided by a 193 privileged process, such as the system_server. This issue is rated as High 194 severity due to the possibility of service impersonation. 195 </p> 196 <table> 197 <col width="18%"> 198 <col width="16%"> 199 <col width="10%"> 200 <col width="19%"> 201 <col width="19%"> 202 <col width="17%"> 203 <tr> 204 <th>CVE</th> 205 <th>References</th> 206 <th>Severity</th> 207 <th>Updated Nexus devices</th> 208 <th>Updated AOSP versions</th> 209 <th>Date reported</th> 210 </tr> 211 <tr> 212 <td>CVE-2016-3900</td> 213 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/d3c6ce463ac91ecbeb2128beb475d31d3ca6ef42">A-29431260</a> 214 [<a href="https://android.googlesource.com/platform/frameworks/native/+/047eec456943dc082e33220d28abb7df4e089f69">2</a>] 215 </td> 216 <td>High</td> 217 <td>All Nexus</td> 218 <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 219 <td>Jun 15, 2016</td> 220 </tr> 221 </table> 222 <h3 id="eopv-in-lock-settings-service">Elevation 223 of privilege vulnerability in Lock Settings Service</h3> 224 <p> 225 An elevation of privilege vulnerability in Lock Settings Service could enable a 226 local malicious application to clear the device PIN or password. This issue is 227 rated as High because it is a local bypass of user interaction requirements for 228 any developer or security settings modifications. 229 </p> 230 <table> 231 <col width="18%"> 232 <col width="16%"> 233 <col width="10%"> 234 <col width="19%"> 235 <col width="19%"> 236 <col width="17%"> 237 <tr> 238 <th>CVE</th> 239 <th>References</th> 240 <th>Severity</th> 241 <th>Updated Nexus devices</th> 242 <th>Updated AOSP versions</th> 243 <th>Date reported</th> 244 </tr> 245 <tr> 246 <td>CVE-2016-3908</td> 247 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/96daf7d4893f614714761af2d53dfb93214a32e4">A-30003944</a> 248 </td> 249 <td>High</td> 250 <td>All Nexus</td> 251 <td>6.0, 6.0.1, 7.0</td> 252 <td>Jul 6, 2016</td> 253 </tr> 254 </table> 255 <h3 id="eopv-in-mediaserver">Elevation of privilege vulnerability in Mediaserver</h3> 256 <p> 257 An elevation of privilege vulnerability in Mediaserver could enable a local 258 malicious application to execute arbitrary code within the context of a 259 privileged process. This issue is rated as High because it could be used to gain 260 local access to elevated capabilities, which are not normally accessible to a 261 third-party application. 262 </p> 263 <table> 264 <col width="18%"> 265 <col width="16%"> 266 <col width="10%"> 267 <col width="19%"> 268 <col width="19%"> 269 <col width="17%"> 270 <tr> 271 <th>CVE</th> 272 <th>References</th> 273 <th>Severity</th> 274 <th>Updated Nexus devices</th> 275 <th>Updated AOSP versions</th> 276 <th>Date reported</th> 277 </tr> 278 <tr> 279 <td>CVE-2016-3909</td> 280 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/d4271b792bdad85a80e2b83ab34c4b30b74f53ec">A-30033990</a> 281 [<a href="https://android.googlesource.com/platform/frameworks/av/+/c48ef757cc50906e8726a3bebc3b60716292cdba">2</a>] 282 </td> 283 <td>High</td> 284 <td>All Nexus</td> 285 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 286 <td>Jul 8, 2016</td> 287 </tr> 288 <tr> 289 <td>CVE-2016-3910</td> 290 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/035cb12f392860113dce96116a5150e2fde6f0cc">A-30148546</a> 291 </td> 292 <td>High</td> 293 <td>All Nexus</td> 294 <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 295 <td>Jul 13, 2016</td> 296 </tr> 297 <tr> 298 <td>CVE-2016-3913</td> 299 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/0c3b93c8c2027e74af642967eee5c142c8fd185d">A-30204103</a> 300 </td> 301 <td>High</td> 302 <td>All Nexus</td> 303 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 304 <td>Jul 18, 2016</td> 305 </tr> 306 </table> 307 <h3 id="eopv-in-zygote-process">Elevation of privilege vulnerability in Zygote process</h3> 308 <p> 309 An elevation of privilege in the Zygote process could enable a local malicious 310 application to execute arbitrary code within the context of a privileged 311 process. This issue is rated as High because it could be used to gain local 312 access to elevated capabilities, which are not normally accessible to a 313 third-party application. 314 </p> 315 <table> 316 <col width="18%"> 317 <col width="16%"> 318 <col width="10%"> 319 <col width="19%"> 320 <col width="19%"> 321 <col width="17%"> 322 <tr> 323 <th>CVE</th> 324 <th>References</th> 325 <th>Severity</th> 326 <th>Updated Nexus devices</th> 327 <th>Updated AOSP versions</th> 328 <th>Date reported</th> 329 </tr> 330 <tr> 331 <td>CVE-2016-3911</td> 332 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/2c7008421cb67f5d89f16911bdbe36f6c35311ad">A-30143607</a> 333 </td> 334 <td>High</td> 335 <td>All Nexus</td> 336 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 337 <td>Jul 12, 2016</td> 338 </tr> 339 </table> 340 <h3 id="eopv-in-framework-apis">Elevation of privilege vulnerability in framework APIs</h3> 341 <p> 342 An elevation of privilege vulnerability in the framework APIs could enable a 343 local malicious application to execute arbitrary code within the context of a 344 privileged process. This issue is rated as High because it could be used to gain 345 local access to elevated capabilities, which are not normally accessible to a 346 third-party application. 347 </p> 348 <table> 349 <col width="18%"> 350 <col width="16%"> 351 <col width="10%"> 352 <col width="19%"> 353 <col width="19%"> 354 <col width="17%"> 355 <tr> 356 <th>CVE</th> 357 <th>References</th> 358 <th>Severity</th> 359 <th>Updated Nexus devices</th> 360 <th>Updated AOSP versions</th> 361 <th>Date reported</th> 362 </tr> 363 <tr> 364 <td>CVE-2016-3912</td> 365 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/6c049120c2d749f0c0289d822ec7d0aa692f55c5">A-30202481</a> 366 </td> 367 <td>High</td> 368 <td>All Nexus</td> 369 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 370 <td>Jul 17, 2016</td> 371 </tr> 372 </table> 373 <h3 id="eopv-in-telephony">Elevation of privilege vulnerability in Telephony</h3> 374 <p> 375 An elevation of privilege vulnerability in the Telephony component could enable 376 a local malicious application to execute arbitrary code within the context of a 377 privileged process. This issue is rated as High because it could be used to gain 378 local access to elevated capabilities, which are not normally accessible to a 379 third-party application. 380 </p> 381 <table> 382 <col width="18%"> 383 <col width="16%"> 384 <col width="10%"> 385 <col width="19%"> 386 <col width="19%"> 387 <col width="17%"> 388 <tr> 389 <th>CVE</th> 390 <th>References</th> 391 <th>Severity</th> 392 <th>Updated Nexus devices</th> 393 <th>Updated AOSP versions</th> 394 <th>Date reported</th> 395 </tr> 396 <tr> 397 <td>CVE-2016-3914</td> 398 <td><a href="https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/3a3a5d145d380deef2d5b7c3150864cd04be397f">A-30481342</a> 399 </td> 400 <td>High</td> 401 <td>All Nexus</td> 402 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 403 <td>Jul 28, 2016</td> 404 </tr> 405 </table> 406 <h3 id="eopv-in-camera-service">Elevation of privilege vulnerability in Camera service</h3> 407 <p> 408 An elevation of privilege vulnerability in the Camera service could enable a 409 local malicious application to execute arbitrary code within the context of a 410 privileged process. This issue is rated as High because it could be used to gain 411 local access to elevated capabilities, which are not normally accessible to a 412 third-party application. 413 </p> 414 <table> 415 <col width="18%"> 416 <col width="16%"> 417 <col width="10%"> 418 <col width="19%"> 419 <col width="19%"> 420 <col width="17%"> 421 <tr> 422 <th>CVE</th> 423 <th>References</th> 424 <th>Severity</th> 425 <th>Updated Nexus devices</th> 426 <th>Updated AOSP versions</th> 427 <th>Date reported</th> 428 </tr> 429 <tr> 430 <td>CVE-2016-3915</td> 431 <td><a href="https://android.googlesource.com/platform/system/media/+/e9e44f797742f52996ebf307740dad58c28fd9b5">A-30591838</a> 432 </td> 433 <td>High</td> 434 <td>All Nexus</td> 435 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 436 <td>Aug 1, 2016</td> 437 </tr> 438 <tr> 439 <td>CVE-2016-3916</td> 440 <td><a href="https://android.googlesource.com/platform/system/media/+/8e7a2b4d13bff03973dbad2bfb88a04296140433">A-30741779</a> 441 </td> 442 <td>High</td> 443 <td>All Nexus</td> 444 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 445 <td>Aug 2, 2016</td> 446 </tr> 447 </table> 448 <h3 id="eopv-in-fingerprint-login">Elevation of privilege vulnerability in fingerprint login</h3> 449 <p> 450 An elevation of privilege vulnerability during fingerprint login could enable a 451 malicious device owner to login as a different user account on the device. This 452 issue is rated as High due to the possibility of a lockscreen bypass. 453 </p> 454 <table> 455 <col width="18%"> 456 <col width="16%"> 457 <col width="10%"> 458 <col width="19%"> 459 <col width="19%"> 460 <col width="17%"> 461 <tr> 462 <th>CVE</th> 463 <th>References</th> 464 <th>Severity</th> 465 <th>Updated Nexus devices</th> 466 <th>Updated AOSP versions</th> 467 <th>Date reported</th> 468 </tr> 469 <tr> 470 <td>CVE-2016-3917</td> 471 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/f5334952131afa835dd3f08601fb3bced7b781cd">A-30744668</a> 472 </td> 473 <td>High</td> 474 <td>All Nexus</td> 475 <td>6.0.1, 7.0</td> 476 <td>Aug 5, 2016</td> 477 </tr> 478 </table> 479 <h3 id="information-disclosure-vulnerability-in-aosp-mail">Information 480 disclosure vulnerability in AOSP Mail</h3> 481 <p> 482 An information disclosure vulnerability in AOSP Mail could enable a local 483 malicious application to bypass operating system protections that isolate 484 application data from other applications. This issue is rated as High because it 485 could be used to access data without permission. 486 </p> 487 <table> 488 <col width="18%"> 489 <col width="16%"> 490 <col width="10%"> 491 <col width="19%"> 492 <col width="19%"> 493 <col width="17%"> 494 <tr> 495 <th>CVE</th> 496 <th>References</th> 497 <th>Severity</th> 498 <th>Updated Nexus devices</th> 499 <th>Updated AOSP versions</th> 500 <th>Date reported</th> 501 </tr> 502 <tr> 503 <td>CVE-2016-3918</td> 504 <td><a href="https://android.googlesource.com/platform/packages/apps/Email/+/6b2b0bd7c771c698f11d7be89c2c57c8722c7454">A-30745403</a> 505 </td> 506 <td>High</td> 507 <td>All Nexus</td> 508 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 509 <td>Aug 5, 2016</td> 510 </tr> 511 </table> 512 <h3 id="dosv-in-wi-fi">Denial of service 513 vulnerability in Wi-Fi</h3> 514 <p> 515 A denial of service vulnerability in Wi-Fi could enable a local proximate 516 attacker to create a hotspot and cause a device reboot. This issue is rated as 517 High due to the possibility of a temporary remote denial of service. 518 </p> 519 <table> 520 <col width="18%"> 521 <col width="16%"> 522 <col width="10%"> 523 <col width="19%"> 524 <col width="17%"> 525 <col width="19%"> 526 <tr> 527 <th>CVE</th> 528 <th>References</th> 529 <th>Severity</th> 530 <th>Updated Nexus devices</th> 531 <th>Updated AOSP versions</th> 532 <th>Date reported</th> 533 </tr> 534 <tr> 535 <td>CVE-2016-3882</td> 536 <td><a href="https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/35a86eef3c0eef760f7e61c52a343327ba601630">A-29464811</a> 537 </td> 538 <td>High</td> 539 <td>All Nexus</td> 540 <td>6.0, 6.0.1, 7.0</td> 541 <td>Jun 17, 2016</td> 542 </tr> 543 </table> 544 <h3 id="dosv-in-gps">Denial of service vulnerability in GPS</h3> 545 <p> 546 A denial of service vulnerability in the GPS component could enable a remote 547 attacker to cause a device hang or reboot. This issue is rated as High due to 548 the possibility of a temporary remote denial of service. 549 </p> 550 <table> 551 <col width="18%"> 552 <col width="16%"> 553 <col width="10%"> 554 <col width="19%"> 555 <col width="19%"> 556 <col width="17%"> 557 <tr> 558 <th>CVE</th> 559 <th>References</th> 560 <th>Severity</th> 561 <th>Updated Nexus devices</th> 562 <th>Updated AOSP versions</th> 563 <th>Date reported</th> 564 </tr> 565 <tr> 566 <td>CVE-2016-5348</td> 567 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/218b813d5bc2d7d3952ea1861c38b4aa944ac59b">A-29555864</a> 568 </td> 569 <td>High</td> 570 <td>All Nexus</td> 571 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 572 <td>Jun 20, 2016</td> 573 </tr> 574 </table> 575 <h3 id="dosv-in-mediaserver">Denial of service vulnerability in Mediaserver</h3> 576 <p> 577 A denial of service vulnerability in Mediaserver could enable an attacker to use 578 a specially crafted file to cause a device hang or reboot. This issue is rated 579 as High due to the possibility of remote denial of service. 580 </p> 581 <table> 582 <col width="18%"> 583 <col width="16%"> 584 <col width="10%"> 585 <col width="19%"> 586 <col width="19%"> 587 <col width="17%"> 588 <tr> 589 <th>CVE</th> 590 <th>References</th> 591 <th>Severity</th> 592 <th>Updated Nexus devices</th> 593 <th>Updated AOSP versions</th> 594 <th>Date reported</th> 595 </tr> 596 <tr> 597 <td>CVE-2016-3920</td> 598 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6d0249be2275fd4086783f259f4e2c54722a7c55">A-30744884</a> 599 </td> 600 <td>High</td> 601 <td>All Nexus</td> 602 <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 603 <td>Aug 5, 2016</td> 604 </tr> 605 </table> 606 <h3 id="eopv-in-framework-listener">Elevation of privilege vulnerability in Framework Listener</h3> 607 <p> 608 An elevation of privilege vulnerability in Framework Listener could enable a 609 local malicious application to execute arbitrary code within the context of a 610 privileged process. This issue is rated as Moderate because it first requires 611 compromising a privileged process. 612 </p> 613 <table> 614 <col width="18%"> 615 <col width="16%"> 616 <col width="10%"> 617 <col width="18%"> 618 <col width="20%"> 619 <col width="17%"> 620 <tr> 621 <th>CVE</th> 622 <th>References</th> 623 <th>Severity</th> 624 <th>Updated Nexus devices</th> 625 <th>Updated AOSP versions</th> 626 <th>Date reported</th> 627 </tr> 628 <tr> 629 <td>CVE-2016-3921</td> 630 <td><a href="https://android.googlesource.com/platform/system/core/+/771ab014c24a682b32990da08e87e2f0ab765bd2">A-29831647</a> 631 </td> 632 <td>Moderate</td> 633 <td>All Nexus</td> 634 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 635 <td>Jun 25, 2016</td> 636 </tr> 637 </table> 638 <h3 id="eopv-in-telephony-2">Elevation of privilege vulnerability in Telephony</h3> 639 <p> 640 An elevation of privilege vulnerability in Telephony could enable a local 641 malicious application to execute arbitrary code in the context of a privileged 642 process. This issue is rated as Moderate because it first requires compromising 643 a privileged process. 644 </p> 645 <table> 646 <col width="18%"> 647 <col width="16%"> 648 <col width="10%"> 649 <col width="19%"> 650 <col width="19%"> 651 <col width="17%"> 652 <tr> 653 <th>CVE</th> 654 <th>References</th> 655 <th>Severity</th> 656 <th>Updated Nexus devices</th> 657 <th>Updated AOSP versions</th> 658 <th>Date reported</th> 659 </tr> 660 <tr> 661 <td>CVE-2016-3922</td> 662 <td><a href="https://android.googlesource.com/platform/hardware/ril/+/95610818918f6f11fe7d23aca1380e6c0fac2af0">A-30202619</a> 663 </td> 664 <td>Moderate</td> 665 <td>All Nexus</td> 666 <td>6.0, 6.0.1, 7.0</td> 667 <td>Jul 17, 2016</td> 668 </tr> 669 </table> 670 <h3 671 id="eopv-in-accessibility-services">Elevation of privilege vulnerability in Accessibility services</h3> 672 <p> 673 An elevation of privilege vulnerability in the Accessibility services could 674 enable a local malicious application to generate unexpected touch events on the 675 device that could lead to applications accepting permission dialogs without the 676 users explicit consent. This issue is rated as Moderate because it is a local 677 bypass of user interaction requirements that would normally require either user 678 initiation or user permission. 679 </p> 680 <table> 681 <col width="18%"> 682 <col width="16%"> 683 <col width="10%"> 684 <col width="19%"> 685 <col width="18%"> 686 <col width="18%"> 687 <tr> 688 <th>CVE</th> 689 <th>References</th> 690 <th>Severity</th> 691 <th>Updated Nexus devices</th> 692 <th>Updated AOSP versions</th> 693 <th>Date reported</th> 694 </tr> 695 <tr> 696 <td>CVE-2016-3923</td> 697 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/5f256310187b4ff2f13a7abb9afed9126facd7bc">A-30647115</a> 698 </td> 699 <td>Moderate</td> 700 <td>All Nexus</td> 701 <td>7.0</td> 702 <td>Google internal</td> 703 </tr> 704 </table> 705 <h3 id="information-disclosure-vulnerability-in-mediaserver">Information 706 disclosure vulnerability in Mediaserver</h3> 707 <p> 708 An information disclosure vulnerability in Mediaserver could enable a local 709 malicious application to access data outside of its permission levels. This 710 issue is rated as Moderate because it could be used to access sensitive data 711 without permission. 712 </p> 713 <table> 714 <col width="18%"> 715 <col width="16%"> 716 <col width="10%"> 717 <col width="18%"> 718 <col width="20%"> 719 <col width="17%"> 720 <tr> 721 <th>CVE</th> 722 <th>References</th> 723 <th>Severity</th> 724 <th>Updated Nexus devices</th> 725 <th>Updated AOSP versions</th> 726 <th>Date reported</th> 727 </tr> 728 <tr> 729 <td>CVE-2016-3924</td> 730 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c894aa36be535886a8e5ff02cdbcd07dd24618f6">A-30204301</a> 731 </td> 732 <td>Moderate</td> 733 <td>All Nexus</td> 734 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td> 735 <td>Jul 18, 2016</td> 736 </tr> 737 </table> 738 <h3 id="dosv-in-wi-fi-2">Denial of service vulnerability in Wi-Fi</h3> 739 <p> 740 A denial of service vulnerability in the Wi-Fi service could enable a local 741 malicious application to prevent Wi-Fi calling. This issue is rated as Moderate 742 due to the possibility of a denial of service to application functionality. 743 </p> 744 <table> 745 <col width="18%"> 746 <col width="16%"> 747 <col width="10%"> 748 <col width="19%"> 749 <col width="17%"> 750 <col width="19%"> 751 <tr> 752 <th>CVE</th> 753 <th>References</th> 754 <th>Severity</th> 755 <th>Updated Nexus devices</th> 756 <th>Updated AOSP versions</th> 757 <th>Date reported</th> 758 </tr> 759 <tr> 760 <td>CVE-2016-3925</td> 761 <td><a href="https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/c2905409c20c8692d4396b8531b09e7ec81fa3fb">A-30230534</a> 762 </td> 763 <td>Moderate</td> 764 <td>All Nexus</td> 765 <td>6.0, 6.0.1, 7.0</td> 766 <td>Google internal</td> 767 </tr> 768 </table> 769 <h2 id="2016-10-05-details">2016-10-05 770 security patch levelVulnerability details</h2> 771 <p> 772 In the sections below, we provide details for each of the security 773 vulnerabilities that apply to the 2016-10-05 patch level. There is a description of 774 the issue, a severity rationale, and a table with the CVE, associated 775 references, severity, updated Nexus devices, updated AOSP versions (where 776 applicable), and date reported. When available, we will link the public change 777 that addressed the issue to the bug ID, like the AOSP change list. When multiple 778 changes relate to a single bug, additional references are linked to numbers 779 following the bug ID. 780 </p> 781 <h3 id="remote-code-execution-vulnerability-in-kernel-asn-1-decoder">Remote code 782 execution vulnerability in kernel ASN.1 decoder</h3> 783 <p> 784 An elevation of privilege vulnerability in the kernel ASN.1 decoder could enable 785 a local malicious application to execute arbitrary code within the context of 786 the kernel. This issue is rated as Critical due to the possibility of a local 787 permanent device compromise, which may require reflashing the operating system 788 to repair the device. 789 </p> 790 <table> 791 <col width="19%"> 792 <col width="20%"> 793 <col width="10%"> 794 <col width="23%"> 795 <col width="17%"> 796 <tr> 797 <th>CVE</th> 798 <th>References</th> 799 <th>Severity</th> 800 <th>Updated Nexus devices</th> 801 <th>Date reported</th> 802 </tr> 803 <tr> 804 <td>CVE-2016-0758</td> 805 <td>A-29814470<br> 806 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa"> 807 Upstream kernel</a></td> 808 <td>Critical</td> 809 <td>Nexus 5X, Nexus 6P</td> 810 <td>May 12, 2016</td> 811 </tr> 812 </table> 813 <h3 814 id="remote-code-execution-vulnerability-in-kernel-networking-subsystem">Remote 815 code execution vulnerability in kernel networking subsystem</h3> 816 <p> 817 A remote code execution vulnerability in the kernel networking subsystem could 818 enable a remote attacker to execute arbitrary code within the context of the 819 kernel. This issue is rated as Critical due to the possibility of a local 820 permanent device compromise, which may require reflashing the operating system 821 to repair the device. 822 </p> 823 <table> 824 <col width="19%"> 825 <col width="20%"> 826 <col width="10%"> 827 <col width="23%"> 828 <col width="17%"> 829 <tr> 830 <th>CVE</th> 831 <th>References</th> 832 <th>Severity</th> 833 <th>Updated Nexus devices</th> 834 <th>Date reported</th> 835 </tr> 836 <tr> 837 <td>CVE-2016-7117</td> 838 <td>A-30515201<br> 839 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d">Upstream 840 kernel</a></td> 841 <td>Critical</td> 842 <td>All Nexus</td> 843 <td>Google internal</td> 844 </tr> 845 </table> 846 <h3 id="eopv-in-mediatek-video-driver">Elevation 847 of privilege vulnerability in MediaTek video driver</h3> 848 <p> 849 An elevation of privilege vulnerability in the MediaTek video driver could 850 enable a local malicious application to execute arbitrary code within the 851 context of the kernel. This issue is rated as Critical due to the possibility of 852 a local permanent device compromise, which may require reflashing the operating 853 system to repair the device. 854 </p> 855 <table> 856 <col width="19%"> 857 <col width="20%"> 858 <col width="10%"> 859 <col width="23%"> 860 <col width="17%"> 861 <tr> 862 <th>CVE</th> 863 <th>References</th> 864 <th>Severity</th> 865 <th>Updated Nexus devices</th> 866 <th>Date reported</th> 867 </tr> 868 <tr> 869 <td>CVE-2016-3928</td> 870 <td>A-30019362*<br> 871 M-ALPS02829384</td> 872 <td>Critical</td> 873 <td>None</td> 874 <td>Jul 6, 2016</td> 875 </tr> 876 </table> 877 <p> 878 * The patch for this issue is not publicly available. The update is contained in 879 the latest binary drivers for Nexus devices available from the 880 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 881 site</a>. 882 </p> 883 <h3 884 id="eopv-in-kernel-shared-memory-driver">Elevation 885 of privilege vulnerability in kernel shared memory driver</h3> 886 <p> 887 An elevation of privilege vulnerability in the kernel shared memory driver could 888 enable a local malicious application to execute arbitrary code within the 889 context of the kernel. This issue is rated as Critical due to the possibility of 890 a local permanent device compromise, which may require reflashing the operating 891 system to repair the device. 892 </p> 893 <table> 894 <col width="19%"> 895 <col width="20%"> 896 <col width="10%"> 897 <col width="23%"> 898 <col width="17%"> 899 <tr> 900 <th>CVE</th> 901 <th>References</th> 902 <th>Severity</th> 903 <th>Updated Nexus devices</th> 904 <th>Date reported</th> 905 </tr> 906 <tr> 907 <td>CVE-2016-5340</td> 908 <td>A-30652312<br> 909 <a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6">QC-CR#1008948</a></td> 910 <td>Critical</td> 911 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 912 <td>Jul 26, 2016</td> 913 </tr> 914 </table> 915 916 <h3 id="vulnerabilities-in-qc-components"> 917 Vulnerabilities in Qualcomm components</h3> 918 <p> 919 The table below contains security vulnerabilities affecting Qualcomm components 920 and are described in further detail in the Qualcomm AMSS March 2016 and 921 Qualcomm AMSS April 2016 security bulletins. 922 </p> 923 <table> 924 <col width="19%"> 925 <col width="16%"> 926 <col width="10%"> 927 <col width="23%"> 928 <col width="21%"> 929 <tr> 930 <th>CVE</th> 931 <th>References</th> 932 <th>Severity</th> 933 <th>Updated Nexus devices</th> 934 <th>Date reported</th> 935 </tr> 936 <tr> 937 <td>CVE-2016-3926</td> 938 <td>A-28823953*</td> 939 <td>Critical</td> 940 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 941 <td>Qualcomm internal</td> 942 </tr> 943 <tr> 944 <td>CVE-2016-3927</td> 945 <td>A-28823244*</td> 946 <td>Critical</td> 947 <td>Nexus 5X, Nexus 6P</td> 948 <td>Qualcomm internal</td> 949 </tr> 950 <tr> 951 <td>CVE-2016-3929</td> 952 <td>A-28823675*</td> 953 <td>High</td> 954 <td>Nexus 5X, Nexus 6P</td> 955 <td>Qualcomm internal</td> 956 </tr> 957 </table> 958 <p> 959 * The patch for this issue is not publicly available. The update is contained in 960 the latest binary drivers for Nexus devices available from the 961 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 962 site</a>. 963 </p> 964 <h3 id="eopv-in-qualcomm-networking-component">Elevation 965 of privilege vulnerability in Qualcomm networking component</h3> 966 <p> 967 An elevation of privilege vulnerability in the Qualcomm networking component 968 could enable a local malicious application to execute arbitrary code within the 969 context of the kernel. This issue is rated as High because it first requires 970 compromising a privileged process. 971 </p> 972 <table> 973 <col width="19%"> 974 <col width="20%"> 975 <col width="10%"> 976 <col width="23%"> 977 <col width="17%"> 978 <tr> 979 <th>CVE</th> 980 <th>References</th> 981 <th>Severity</th> 982 <th>Updated Nexus devices</th> 983 <th>Date reported</th> 984 </tr> 985 <tr> 986 <td>CVE-2016-2059</td> 987 <td>A-27045580<br> 988 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9e8bdd63f7011dff5523ea435433834b3702398d">QC-CR#974577</a></td> 989 <td>High</td> 990 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 991 <td>Feb 4, 2016</td> 992 </tr> 993 </table> 994 <h3 id="eopv-in-nvidia-mmc-test-driver">Elevation of privilege vulnerability in 995 NVIDIA MMC test driver</h3> 996 <p> 997 An elevation of privilege vulnerability in the NVIDIA MMC test driver could 998 enable a local malicious application to execute arbitrary code within the 999 context of the kernel. This issue is rated as High because it first requires 1000 compromising a privileged process. 1001 </p> 1002 <table> 1003 <col width="19%"> 1004 <col width="20%"> 1005 <col width="10%"> 1006 <col width="23%"> 1007 <col width="17%"> 1008 <tr> 1009 <th>CVE</th> 1010 <th>References</th> 1011 <th>Severity</th> 1012 <th>Updated Nexus devices</th> 1013 <th>Date reported</th> 1014 </tr> 1015 <tr> 1016 <td>CVE-2016-3930</td> 1017 <td>A-28760138*<br> 1018 N-CVE-2016-3930</td> 1019 <td>High</td> 1020 <td>Nexus 9</td> 1021 <td>May 12, 2016</td> 1022 </tr> 1023 </table> 1024 <p> 1025 * The patch for this issue is not publicly available. The update is contained in 1026 the latest binary drivers for Nexus devices available from the 1027 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1028 site</a>. 1029 </p> 1030 <h3 1031 id="eopv-in-qsee-communicator-driver">Elevation of privilege vulnerability in 1032 Qualcomm QSEE Communicator driver</h3> 1033 <p> 1034 An elevation of privilege vulnerability in the Qualcomm QSEE 1035 Communicator driver could enable a local malicious application to 1036 execute arbitrary code within the context of the kernel. This issue is rated as 1037 High because it first requires compromising a privileged process. 1038 </p> 1039 <table> 1040 <col width="19%"> 1041 <col width="20%"> 1042 <col width="10%"> 1043 <col width="23%"> 1044 <col width="17%"> 1045 <tr> 1046 <th>CVE</th> 1047 <th>References</th> 1048 <th>Severity</th> 1049 <th>Updated Nexus devices</th> 1050 <th>Date reported</th> 1051 </tr> 1052 <tr> 1053 <td>CVE-2016-3931</td> 1054 <td>A-29157595<br> 1055 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e80b88323f9ff0bb0e545f209eec08ec56fca816">QC-CR#1036418</a></td> 1056 <td>High</td> 1057 <td>Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1058 <td>Jun 4, 2016</td> 1059 </tr> 1060 </table> 1061 <h3 id="eopv-in-mediaserver-2">Elevation of privilege vulnerability in Mediaserver</h3> 1062 <p> 1063 An elevation of privilege vulnerability in Mediaserver could enable a local 1064 malicious application to execute arbitrary code within the context of a 1065 privileged process. This issue is rated as High because it could be used to gain 1066 local access to elevated capabilities, which are not normally accessible to a 1067 third-party application. 1068 </p> 1069 <table> 1070 <col width="19%"> 1071 <col width="20%"> 1072 <col width="10%"> 1073 <col width="23%"> 1074 <col width="17%"> 1075 <tr> 1076 <th>CVE</th> 1077 <th>References</th> 1078 <th>Severity</th> 1079 <th>Updated Nexus devices</th> 1080 <th>Date reported</th> 1081 </tr> 1082 <tr> 1083 <td>CVE-2016-3932</td> 1084 <td>A-29161895<br> 1085 M-ALPS02770870</td> 1086 <td>High</td> 1087 <td>None</td> 1088 <td>Jun 6, 2016</td> 1089 </tr> 1090 <tr> 1091 <td>CVE-2016-3933</td> 1092 <td>A-29421408*<br> 1093 N-CVE-2016-3933</td> 1094 <td>High</td> 1095 <td>Nexus 9, Pixel C</td> 1096 <td>Jun 14, 2016</td> 1097 </tr> 1098 </table> 1099 <p> 1100 * The patch for this issue is not publicly available. The update is contained in 1101 the latest binary drivers for Nexus devices available from the 1102 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1103 site</a>. 1104 </p> 1105 <h3 id="eopv-in-qualcomm-camera-driver">Elevation of privilege vulnerability 1106 in Qualcomm camera driver</h3> 1107 <p> 1108 An elevation of privilege vulnerability in the Qualcomm camera driver could 1109 enable a local malicious application to execute arbitrary code within the 1110 context of the kernel. This issue is rated as High because it first requires 1111 compromising a privileged process. 1112 </p> 1113 <table> 1114 <col width="19%"> 1115 <col width="20%"> 1116 <col width="10%"> 1117 <col width="23%"> 1118 <col width="17%"> 1119 <tr> 1120 <th>CVE</th> 1121 <th>References</th> 1122 <th>Severity</th> 1123 <th>Updated Nexus devices</th> 1124 <th>Date reported</th> 1125 </tr> 1126 <tr> 1127 <td>CVE-2016-3903</td> 1128 <td>A-29513227<br> 1129 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b8874573428e8ce024f57c6242d662fcca5e5d55">QC-CR#1040857</a></td> 1130 <td>High</td> 1131 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1132 <td>Jun 20, 2016</td> 1133 </tr> 1134 <tr> 1135 <td>CVE-2016-3934</td> 1136 <td>A-30102557<br> 1137 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=27fbeb6b025d5d46ccb0497cbed4c6e78ed1c5cc">QC-CR#789704</a></td> 1138 <td>High</td> 1139 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1140 <td>Jul 12, 2016</td> 1141 </tr> 1142 </table> 1143 <h3 id="eopv-in-qualcomm-sound-driver">Elevation 1144 of privilege vulnerability in Qualcomm sound driver</h3> 1145 <p> 1146 An elevation of privilege vulnerability in the Qualcomm sound driver could 1147 enable a local malicious application to execute arbitrary code within the 1148 context of the kernel. This issue is rated as High because it first requires 1149 compromising a privileged process. 1150 </p> 1151 <table> 1152 <col width="19%"> 1153 <col width="20%"> 1154 <col width="10%"> 1155 <col width="23%"> 1156 <col width="17%"> 1157 <tr> 1158 <th>CVE</th> 1159 <th>References</th> 1160 <th>Severity</th> 1161 <th>Updated Nexus devices</th> 1162 <th>Date reported</th> 1163 </tr> 1164 <tr> 1165 <td>CVE-2015-8951</td> 1166 <td>A-30142668<br> 1167 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=APSS.FSM.3.0&id=ccff36b07bfc49efc77b9f1b55ed2bf0900b1d5b">QC-CR#948902</a><br> 1168 QC-CR#948902</td> 1169 <td>High</td> 1170 <td>Nexus 5X, Nexus 6P, Android One</td> 1171 <td>Jun 20, 2016</td> 1172 </tr> 1173 </table> 1174 <h3 id="eopv-in-qualcomm-crypto-engine-driver">Elevation 1175 of privilege vulnerability in Qualcomm crypto engine driver</h3> 1176 <p> 1177 An elevation of privilege vulnerability in the Qualcomm cryptographic engine 1178 driver could enable a local malicious application to execute arbitrary code 1179 within the context of the kernel. This issue is rated as High because it first 1180 requires compromising a privileged process. 1181 </p> 1182 <table> 1183 <col width="19%"> 1184 <col width="20%"> 1185 <col width="10%"> 1186 <col width="23%"> 1187 <col width="17%"> 1188 <tr> 1189 <th>CVE</th> 1190 <th>References</th> 1191 <th>Severity</th> 1192 <th>Updated Nexus devices</th> 1193 <th>Date reported</th> 1194 </tr> 1195 <tr> 1196 <td>CVE-2016-3901</td> 1197 <td>A-29999161<br> 1198 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5f69ccf3b011c1d14a1b1b00dbaacf74307c9132">QC-CR#1046434</a></td> 1199 <td>High</td> 1200 <td>Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1201 <td>Jul 6, 2016</td> 1202 </tr> 1203 <tr> 1204 <td>CVE-2016-3935</td> 1205 <td>A-29999665<br> 1206 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5f69ccf3b011c1d14a1b1b00dbaacf74307c9132">QC-CR#1046507</a></td> 1207 <td>High</td> 1208 <td>Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1209 <td>Jul 6, 2016</td> 1210 </tr> 1211 </table> 1212 <h3 id="eopv-in-mediatek-video-driver-2">Elevation 1213 of privilege vulnerability in MediaTek video driver</h3> 1214 <p> 1215 An elevation of privilege vulnerability in the MediaTek video driver could 1216 enable a local malicious application to execute arbitrary code within the 1217 context of the kernel. This issue is rated as High because it first requires 1218 compromising a privileged process. 1219 </p> 1220 <table> 1221 <col width="19%"> 1222 <col width="20%"> 1223 <col width="10%"> 1224 <col width="23%"> 1225 <col width="17%"> 1226 <tr> 1227 <th>CVE</th> 1228 <th>References</th> 1229 <th>Severity</th> 1230 <th>Updated Nexus devices</th> 1231 <th>Date reported</th> 1232 </tr> 1233 <tr> 1234 <td>CVE-2016-3936</td> 1235 <td>A-30019037*<br> 1236 M-ALPS02829568</td> 1237 <td>High</td> 1238 <td>None</td> 1239 <td>Jul 6, 2016</td> 1240 </tr> 1241 <tr> 1242 <td>CVE-2016-3937</td> 1243 <td>A-30030994*<br> 1244 M-ALPS02834874</td> 1245 <td>High</td> 1246 <td>None</td> 1247 <td>Jul 7, 2016</td> 1248 </tr> 1249 </table> 1250 <p> 1251 * The patch for this issue is not publicly available. The update is contained in 1252 the latest binary drivers for Nexus devices available from the 1253 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1254 site</a>. 1255 </p> 1256 <h3 id="eopv-in-qualcomm-video-driver">Elevation 1257 of privilege vulnerability in Qualcomm video driver</h3> 1258 <p> 1259 An elevation of privilege vulnerability in the Qualcomm video driver could 1260 enable a local malicious application to execute arbitrary code within the 1261 context of the kernel. This issue is rated as High because it first requires 1262 compromising a privileged process. 1263 </p> 1264 <table> 1265 <col width="19%"> 1266 <col width="20%"> 1267 <col width="10%"> 1268 <col width="23%"> 1269 <col width="17%"> 1270 <tr> 1271 <th>CVE</th> 1272 <th>References</th> 1273 <th>Severity</th> 1274 <th>Updated Nexus devices</th> 1275 <th>Date reported</th> 1276 </tr> 1277 <tr> 1278 <td>CVE-2016-3938</td> 1279 <td>A-30019716<br> 1280 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=467c81f9736b1ebc8d4ba70f9221bba02425ca10">QC-CR#1049232</a></td> 1281 <td>High</td> 1282 <td>Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1283 <td>Jul 7, 2016</td> 1284 </tr> 1285 <tr> 1286 <td>CVE-2016-3939</td> 1287 <td>A-30874196<br> 1288 <a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=e0bb18771d6ca71db2c2a61226827059be3fa424">QC-CR#1001224</a></td> 1289 <td>High</td> 1290 <td>Nexus 5X, Nexus 6, Nexus 6P, Android One</td> 1291 <td>Aug 15, 2016</td> 1292 </tr> 1293 </table> 1294 <h3 1295 id="eopv-in-synaptics-touchscreen-driver">Elevation 1296 of privilege vulnerability in Synaptics touchscreen driver</h3> 1297 <p> 1298 An elevation of privilege vulnerability in the Synaptics touchscreen driver 1299 could enable a local malicious application to execute arbitrary code within the 1300 context of the kernel. This issue is rated as High because it first requires 1301 compromising a privileged process. 1302 </p> 1303 <table> 1304 <col width="19%"> 1305 <col width="20%"> 1306 <col width="10%"> 1307 <col width="23%"> 1308 <col width="17%"> 1309 <tr> 1310 <th>CVE</th> 1311 <th>References</th> 1312 <th>Severity</th> 1313 <th>Updated Nexus devices</th> 1314 <th>Date reported</th> 1315 </tr> 1316 <tr> 1317 <td>CVE-2016-3940</td> 1318 <td>A-30141991*</td> 1319 <td>High</td> 1320 <td>Nexus 6P, Android One</td> 1321 <td>Jul 12, 2016</td> 1322 </tr> 1323 <tr> 1324 <td>CVE-2016-6672</td> 1325 <td>A-30537088*</td> 1326 <td>High</td> 1327 <td>Nexus 5X</td> 1328 <td>Jul 31, 2016</td> 1329 </tr> 1330 </table> 1331 <p> 1332 * The patch for this issue is not publicly available. The update is contained in 1333 the latest binary drivers for Nexus devices available from the 1334 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1335 site</a>. 1336 </p> 1337 <h3 id="eopv-in-nvidia-camera-driver">Elevation 1338 of privilege vulnerability in NVIDIA camera driver</h3> 1339 <p> 1340 An elevation of privilege vulnerability in the NVIDIA camera driver could enable 1341 a local malicious application to execute arbitrary code within the context of 1342 the kernel. This issue is rated as High because it first requires compromising a 1343 privileged process. 1344 </p> 1345 <table> 1346 <col width="19%"> 1347 <col width="20%"> 1348 <col width="10%"> 1349 <col width="23%"> 1350 <col width="17%"> 1351 <tr> 1352 <th>CVE</th> 1353 <th>References</th> 1354 <th>Severity</th> 1355 <th>Updated Nexus devices</th> 1356 <th>Date reported</th> 1357 </tr> 1358 <tr> 1359 <td>CVE-2016-6673</td> 1360 <td>A-30204201*<br> 1361 N-CVE-2016-6673</td> 1362 <td>High</td> 1363 <td>Nexus 9</td> 1364 <td>Jul 17, 2016</td> 1365 </tr> 1366 </table> 1367 <p> 1368 * The patch for this issue is not publicly available. The update is contained in 1369 the latest binary drivers for Nexus devices available from the 1370 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1371 site</a>. 1372 </p> 1373 <h3 id="eopv-in-system_server">Elevation of privilege vulnerability in system_server</h3> 1374 <p> 1375 An elevation of privilege vulnerability in system_server could enable a local 1376 malicious application to execute arbitrary code within the context of a 1377 privileged process. This issue is rated as High because it could be used to gain 1378 local access to elevated capabilities, which are not normally accessible to a 1379 third-party application. 1380 </p> 1381 <table> 1382 <col width="19%"> 1383 <col width="20%"> 1384 <col width="10%"> 1385 <col width="23%"> 1386 <col width="17%"> 1387 <tr> 1388 <th>CVE</th> 1389 <th>References</th> 1390 <th>Severity</th> 1391 <th>Updated Nexus devices</th> 1392 <th>Date reported</th> 1393 </tr> 1394 <tr> 1395 <td>CVE-2016-6674</td> 1396 <td>A-30445380*</td> 1397 <td>High</td> 1398 <td>All Nexus</td> 1399 <td>Jul 26, 2016</td> 1400 </tr> 1401 </table> 1402 <p> 1403 * The patch for this issue is not publicly available. The update is contained in 1404 the latest binary drivers for Nexus devices available from the 1405 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1406 site</a>. 1407 </p> 1408 <h3 id="eopv-in-qualcomm-wi-fi-driver">Elevation 1409 of privilege vulnerability in Qualcomm Wi-Fi driver</h3> 1410 <p> 1411 An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could 1412 enable a local malicious application to execute arbitrary code within the 1413 context of the kernel. This issue is rated as High because it first requires 1414 compromising a privileged process. 1415 </p> 1416 <table> 1417 <col width="19%"> 1418 <col width="20%"> 1419 <col width="10%"> 1420 <col width="23%"> 1421 <col width="17%"> 1422 <tr> 1423 <th>CVE</th> 1424 <th>References</th> 1425 <th>Severity</th> 1426 <th>Updated Nexus devices</th> 1427 <th>Date reported</th> 1428 </tr> 1429 <tr> 1430 <td>CVE-2016-3905</td> 1431 <td>A-28061823<br> 1432 <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=b5112838eb91b71eded4b5ee37338535784e0aef">QC-CR#1001449</a></td> 1433 <td>High</td> 1434 <td>Nexus 5X</td> 1435 <td>Google internal</td> 1436 </tr> 1437 <tr> 1438 <td>CVE-2016-6675</td> 1439 <td>A-30873776<br> 1440 <a href="https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=1353fa0bd0c78427f3ae7d9bde7daeb75bd01d09">QC-CR#1000861</a></td> 1441 <td>High</td> 1442 <td>Nexus 5X, Android One</td> 1443 <td>Aug 15, 2016</td> 1444 </tr> 1445 <tr> 1446 <td>CVE-2016-6676</td> 1447 <td>A-30874066<br> 1448 <a href="https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6ba9136879232442a182996427e5c88e5a7512a8">QC-CR#1000853</a></td> 1449 <td>High</td> 1450 <td>Nexus 5X, Android One</td> 1451 <td>Aug 15, 2016</td> 1452 </tr> 1453 <tr> 1454 <td>CVE-2016-5342</td> 1455 <td>A-30878283<br> 1456 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=579e796cb089324c55e0e689a180575ba81b23d9">QC-CR#1032174</a></td> 1457 <td>High</td> 1458 <td>Android One</td> 1459 <td>Aug 15, 2016</td> 1460 </tr> 1461 </table> 1462 <h3 1463 id="eopv-in-kernel-performance-subsystem">Elevation 1464 of privilege vulnerability in kernel performance subsystem</h3> 1465 <p> 1466 An elevation of privilege vulnerability in the kernel performance subsystem 1467 could enable a local malicious application to execute arbitrary code within the 1468 context of the kernel. This issue is rated as High because it first requires 1469 compromising a privileged process. 1470 </p> 1471 <table> 1472 <col width="19%"> 1473 <col width="20%"> 1474 <col width="10%"> 1475 <col width="23%"> 1476 <col width="17%"> 1477 <tr> 1478 <th>CVE</th> 1479 <th>References</th> 1480 <th>Severity</th> 1481 <th>Updated Nexus devices</th> 1482 <th>Date reported</th> 1483 </tr> 1484 <tr> 1485 <td>CVE-2015-8955</td> 1486 <td>A-29508816<br> 1487 <a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8fff105e13041e49b82f92eef034f363a6b1c071">Upstream kernel</a></td> 1488 <td>High</td> 1489 <td>Nexus 5X, Nexus 6P, Pixel C, Android One</td> 1490 <td>Google internal</td> 1491 </tr> 1492 </table> 1493 <h3 1494 id="information-disclosure-vulnerability-in-kernel-ion-subsystem">Information 1495 disclosure vulnerability in kernel ION subsystem</h3> 1496 <p> 1497 An information disclosure vulnerability in the kernel ION subsystem could enable 1498 a local malicious application to access data outside of its permission levels. 1499 This issue is rated as High because it could be used to access sensitive data 1500 without explicit user permission. 1501 </p> 1502 <table> 1503 <col width="19%"> 1504 <col width="20%"> 1505 <col width="10%"> 1506 <col width="23%"> 1507 <col width="17%"> 1508 <tr> 1509 <th>CVE</th> 1510 <th>References</th> 1511 <th>Severity</th> 1512 <th>Updated Nexus devices</th> 1513 <th>Date reported</th> 1514 </tr> 1515 <tr> 1516 <td>CVE-2015-8950</td> 1517 <td>A-29795245<br> 1518 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=6e2c437a2d0a85d90d3db85a7471f99764f7bbf8">QC-CR#1041735</a></td> 1519 <td>High</td> 1520 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 1521 <td>May 12, 2016</td> 1522 </tr> 1523 </table> 1524 <h3 id="information-disclosure-vulnerability-in-nvidia-gpu-driver">Information 1525 disclosure vulnerability in NVIDIA GPU driver</h3> 1526 <p> 1527 An information disclosure vulnerability in the NVIDIA GPU driver could enable a 1528 local malicious application to access data outside of its permission levels. 1529 This issue is rated as High because it first requires compromising a 1530 privileged process. 1531 </p> 1532 <table> 1533 <col width="19%"> 1534 <col width="20%"> 1535 <col width="10%"> 1536 <col width="23%"> 1537 <col width="17%"> 1538 <tr> 1539 <th>CVE</th> 1540 <th>References</th> 1541 <th>Severity</th> 1542 <th>Updated Nexus devices</th> 1543 <th>Date reported</th> 1544 </tr> 1545 <tr> 1546 <td>CVE-2016-6677</td> 1547 <td>A-30259955*<br> 1548 N-CVE-2016-6677</td> 1549 <td>High</td> 1550 <td>Nexus 9</td> 1551 <td>Jul 19, 2016</td> 1552 </tr> 1553 </table> 1554 <p> 1555 * The patch for this issue is not publicly available. The update is contained in 1556 the latest binary drivers for Nexus devices available from the 1557 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1558 site</a>. 1559 </p> 1560 <h3 1561 id="eopv-in-qualcomm-character-driver">Elevation 1562 of privilege vulnerability in Qualcomm character driver</h3> 1563 <p> 1564 An elevation of privilege vulnerability in the Qualcomm character driver could 1565 enable a local malicious application to execute arbitrary code within the 1566 context of the kernel. This issue is rated as Moderate because it first requires 1567 compromising a privileged process, and the vulnerable code is currently not 1568 accessible. 1569 </p> 1570 <table> 1571 <col width="19%"> 1572 <col width="20%"> 1573 <col width="10%"> 1574 <col width="23%"> 1575 <col width="17%"> 1576 <tr> 1577 <th>CVE</th> 1578 <th>References</th> 1579 <th>Severity</th> 1580 <th>Updated Nexus devices</th> 1581 <th>Date reported</th> 1582 </tr> 1583 <tr> 1584 <td>CVE-2015-0572</td> 1585 <td>A-29156684<br> 1586 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=34ad3d34fbff11b8e1210b9da0dac937fb956b61">QC-CR#848489</a></td> 1587 <td>Moderate</td> 1588 <td>Nexus 5X, Nexus 6P</td> 1589 <td>May 28, 2016</td> 1590 </tr> 1591 </table> 1592 <h3 1593 id="information-disclosure-vulnerability-in-qualcomm-sound-driver">Information 1594 disclosure vulnerability in Qualcomm sound driver</h3> 1595 <p> 1596 An information disclosure vulnerability in the Qualcomm sound driver could 1597 enable a local malicious application to access data outside of its permission 1598 levels. This issue is rated as Moderate because it first requires compromising a 1599 privileged process. 1600 </p> 1601 <table> 1602 <col width="19%"> 1603 <col width="20%"> 1604 <col width="10%"> 1605 <col width="23%"> 1606 <col width="17%"> 1607 <tr> 1608 <th>CVE</th> 1609 <th>References</th> 1610 <th>Severity</th> 1611 <th>Updated Nexus devices</th> 1612 <th>Date reported</th> 1613 </tr> 1614 <tr> 1615 <td>CVE-2016-3860</td> 1616 <td>A-29323142<br> 1617 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?id=528976f54be246ec93a71ac53aa4faf3e3791c48">QC-CR#1038127</a></td> 1618 <td>Moderate</td> 1619 <td>Nexus 5X, Nexus 6P, Android One</td> 1620 <td>Jun 13, 2016</td> 1621 </tr> 1622 </table> 1623 <h3 1624 id="information-disclosure-vulnerability-in-motorola-usbnet-driver">Information 1625 disclosure vulnerability in Motorola USBNet driver</h3> 1626 <p> 1627 An information disclosure vulnerability in the Motorola USBNet driver could 1628 enable a local malicious application to access data outside of its permission 1629 levels. This issue is rated as Moderate because it first requires compromising a 1630 privileged process. 1631 </p> 1632 <table> 1633 <col width="19%"> 1634 <col width="20%"> 1635 <col width="10%"> 1636 <col width="23%"> 1637 <col width="17%"> 1638 <tr> 1639 <th>CVE</th> 1640 <th>References</th> 1641 <th>Severity</th> 1642 <th>Updated Nexus devices</th> 1643 <th>Date reported</th> 1644 </tr> 1645 <tr> 1646 <td>CVE-2016-6678</td> 1647 <td>A-29914434*</td> 1648 <td>Moderate</td> 1649 <td>Nexus 6</td> 1650 <td>Jun 30, 2016</td> 1651 </tr> 1652 </table> 1653 <p> 1654 * The patch for this issue is not publicly available. The update is contained in 1655 the latest binary drivers for Nexus devices available from the 1656 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1657 site</a>. 1658 </p> 1659 <h3 id="information-disclosure-vulnerability-in-qualcomm-components">Information 1660 disclosure vulnerability in Qualcomm components</h3> 1661 <p> 1662 An information disclosure vulnerability in Qualcomm components, including the 1663 sound driver, IPA driver and Wi-Fi driver could enable a local malicious 1664 application to access data outside of its permission levels. This issue is rated 1665 as Moderate because it first requires compromising a privileged process. 1666 </p> 1667 <table> 1668 <col width="19%"> 1669 <col width="20%"> 1670 <col width="10%"> 1671 <col width="23%"> 1672 <col width="17%"> 1673 <tr> 1674 <th>CVE</th> 1675 <th>References</th> 1676 <th>Severity</th> 1677 <th>Updated Nexus devices</th> 1678 <th>Date reported</th> 1679 </tr> 1680 <tr> 1681 <td>CVE-2016-6679</td> 1682 <td>A-29915601<br> 1683 <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=d39345f0abc309959d831d09fcbf1619cc0ae0f5">QC-CR#1000913</a> 1684 [<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=f081695446679aa44baa0d00940ea18455eeb4c5">2</a>]</td> 1685 <td>Moderate</td> 1686 <td>Nexus 5X, Android One</td> 1687 <td>Jun 30, 2016</td> 1688 </tr> 1689 <tr> 1690 <td>CVE-2016-3902</td> 1691 <td>A-29953313*<br> 1692 <a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2fca425d781572393fbe51abe2e27a932d24a768">QC-CR#1044072</a></td> 1693 <td>Moderate</td> 1694 <td>Nexus 5X, Nexus 6P,</td> 1695 <td>Jul 2, 2016</td> 1696 </tr> 1697 <tr> 1698 <td>CVE-2016-6680</td> 1699 <td>A-29982678*<br> 1700 <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=2f2fa073b95d4700de88c0f7558b4a18c13ac552">QC-CR#1048052</a></td> 1701 <td>Moderate</td> 1702 <td>Nexus 5X, Android One</td> 1703 <td>Jul 3, 2016</td> 1704 </tr> 1705 <tr> 1706 <td>CVE-2016-6681</td> 1707 <td>A-30152182<br> 1708 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0950fbd39ff189497f1b6115825c210e3eeaf395">QC-CR#1049521</a></td> 1709 <td>Moderate</td> 1710 <td>Nexus 5X, Nexus 6P, Android One</td> 1711 <td>Jul 14, 2016</td> 1712 </tr> 1713 <tr> 1714 <td>CVE-2016-6682</td> 1715 <td>A-30152501<br> 1716 <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0950fbd39ff189497f1b6115825c210e3eeaf395">QC-CR#1049615</a></td> 1717 <td>Moderate</td> 1718 <td>Nexus 5X, Nexus 6P, Android One</td> 1719 <td>Jul 14, 2016</td> 1720 </tr> 1721 </table> 1722 <p> 1723 * The patch for this issue is not publicly available. The update is contained in 1724 the latest binary drivers for Nexus devices available from the 1725 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1726 site</a>. 1727 </p> 1728 <h3 id="information-disclosure-vulnerability-in-kernel-components">Information 1729 disclosure vulnerability in kernel components</h3> 1730 <p> 1731 An information disclosure vulnerability in kernel components, including 1732 Binder, Sync, Bluetooth, and Sound driver, could enable a local malicious 1733 application to access data outside of its permission levels. This issue is 1734 rated as Moderate because it first requires compromising a privileged process. 1735 </p> 1736 <table> 1737 <col width="19%"> 1738 <col width="18%"> 1739 <col width="10%"> 1740 <col width="25%"> 1741 <col width="17%"> 1742 <tr> 1743 <th>CVE</th> 1744 <th>References</th> 1745 <th>Severity</th> 1746 <th>Updated Nexus devices</th> 1747 <th>Date reported</th> 1748 </tr> 1749 <tr> 1750 <td>CVE-2016-6683</td> 1751 <td>A-30143283*</td> 1752 <td>Moderate</td> 1753 <td>All Nexus</td> 1754 <td>Jul 13, 2016</td> 1755 </tr> 1756 <tr> 1757 <td>CVE-2016-6684</td> 1758 <td>A-30148243*</td> 1759 <td>Moderate</td> 1760 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Android One</td> 1761 <td>Jul 13, 2016</td> 1762 </tr> 1763 <tr> 1764 <td>CVE-2015-8956</td> 1765 <td>A-30149612*</td> 1766 <td>Moderate</td> 1767 <td>Nexus 5, Nexus 6P, Android One</td> 1768 <td>Jul 14, 2016</td> 1769 </tr> 1770 <tr> 1771 <td>CVE-2016-6685</td> 1772 <td>A-30402628*</td> 1773 <td>Moderate</td> 1774 <td>Nexus 6P</td> 1775 <td>Jul 25, 2016</td> 1776 </tr> 1777 </table> 1778 <p> 1779 * The patch for this issue is not publicly available. The update is contained in 1780 the latest binary drivers for Nexus devices available from the 1781 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1782 site</a>. 1783 </p> 1784 <h3 id="information-disclosure-vulnerability-in-nvidia-profiler">Information 1785 disclosure vulnerability in NVIDIA profiler</h3> 1786 <p> 1787 An information disclosure vulnerability in the NVIDIA profiler could enable a 1788 local malicious application to access data outside of its permission levels. 1789 This issue is rated as Moderate because it first requires compromising a 1790 privileged process. 1791 </p> 1792 <table> 1793 <col width="19%"> 1794 <col width="20%"> 1795 <col width="10%"> 1796 <col width="23%"> 1797 <col width="17%"> 1798 <tr> 1799 <th>CVE</th> 1800 <th>References</th> 1801 <th>Severity</th> 1802 <th>Updated Nexus devices</th> 1803 <th>Date reported</th> 1804 </tr> 1805 <tr> 1806 <td>CVE-2016-6686</td> 1807 <td>A-30163101*<br> 1808 N-CVE-2016-6686</td> 1809 <td>Moderate</td> 1810 <td>Nexus 9</td> 1811 <td>Jul 15, 2016</td> 1812 </tr> 1813 <tr> 1814 <td>CVE-2016-6687</td> 1815 <td>A-30162222*<br> 1816 N-CVE-2016-6687</td> 1817 <td>Moderate</td> 1818 <td>Nexus 9</td> 1819 <td>Jul 15, 2016</td> 1820 </tr> 1821 <tr> 1822 <td>CVE-2016-6688</td> 1823 <td>A-30593080*<br> 1824 N-CVE-2016-6688</td> 1825 <td>Moderate</td> 1826 <td>Nexus 9</td> 1827 <td>Aug 2, 2016</td> 1828 </tr> 1829 </table> 1830 <p> 1831 * The patch for this issue is not publicly available. The update is contained in 1832 the latest binary drivers for Nexus devices available from the 1833 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1834 site</a>. 1835 </p> 1836 <h3 id="information-disclosure-vulnerability-in-kernel">Information disclosure 1837 vulnerability in kernel</h3> 1838 <p> 1839 An information disclosure vulnerability in Binder could enable a local malicious 1840 application to access data outside of its permission levels. This issue is rated 1841 as Moderate because it first requires compromising a privileged process. 1842 </p> 1843 <table> 1844 <col width="19%"> 1845 <col width="20%"> 1846 <col width="10%"> 1847 <col width="23%"> 1848 <col width="17%"> 1849 <tr> 1850 <th>CVE</th> 1851 <th>References</th> 1852 <th>Severity</th> 1853 <th>Updated Nexus devices</th> 1854 <th>Date reported</th> 1855 </tr> 1856 <tr> 1857 <td>CVE-2016-6689</td> 1858 <td>A-30768347*</td> 1859 <td>Moderate</td> 1860 <td>All Nexus</td> 1861 <td>Aug 9, 2016</td> 1862 </tr> 1863 </table> 1864 <p> 1865 * The patch for this issue is not publicly available. The update is contained in 1866 the latest binary drivers for Nexus devices available from the 1867 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1868 site</a>. 1869 </p> 1870 <h3 id="dosv-in-kernel-networking-subsystem">Denial of service vulnerability 1871 in kernel networking subsystem</h3> 1872 <p> 1873 A denial of service vulnerability in the kernel networking subsystem could 1874 enable an attacker to block access to TCP connections and cause a temporary 1875 remote denial of service. This issue is rated as Moderate because cellular 1876 services are still available and the device is still usable. 1877 </p> 1878 <table> 1879 <col width="19%"> 1880 <col width="18%"> 1881 <col width="10%"> 1882 <col width="25%"> 1883 <col width="17%"> 1884 <tr> 1885 <th>CVE</th> 1886 <th>References</th> 1887 <th>Severity</th> 1888 <th>Updated Nexus devices</th> 1889 <th>Date reported</th> 1890 </tr> 1891 <tr> 1892 <td>CVE-2016-5696</td> 1893 <td>A-30809774<br> 1894 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758">Upstream 1895 kernel</a></td> 1896 <td>Moderate</td> 1897 <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, Android One</td> 1898 <td>Jul 12, 2016</td> 1899 </tr> 1900 </table> 1901 <h3 id="dosv-in-kernel-sound-driver">Denial of service vulnerability in kernel 1902 sound driver</h3> 1903 <p> 1904 A denial of service vulnerability in the kernel could allow a local malicious 1905 application to cause a device reboot. This issue is rated as Low because it is a 1906 temporary denial of service. 1907 </p> 1908 <table> 1909 <col width="19%"> 1910 <col width="18%"> 1911 <col width="10%"> 1912 <col width="25%"> 1913 <col width="17%"> 1914 <tr> 1915 <th>CVE</th> 1916 <th>References</th> 1917 <th>Severity</th> 1918 <th>Updated Nexus devices</th> 1919 <th>Date reported</th> 1920 </tr> 1921 <tr> 1922 <td>CVE-2016-6690</td> 1923 <td>A-28838221*</td> 1924 <td>Low</td> 1925 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus Player</td> 1926 <td>May 18, 2016</td> 1927 </tr> 1928 </table> 1929 <p> 1930 * The patch for this issue is not publicly available. The update is contained in 1931 the latest binary drivers for Nexus devices available from the 1932 <a href="https://developers.google.com/android/nexus/drivers">Google Developer 1933 site</a>. 1934 </p> 1935 <h3 id="vulnerabilities-in-qualcomm-components">Vulnerabilities in Qualcomm 1936 components</h3> 1937 <p> 1938 The table below contains a list of security vulnerabilities that affect Qualcomm 1939 components. 1940 </p> 1941 <table> 1942 <col width="19%"> 1943 <col width="20%"> 1944 <col width="10%"> 1945 <col width="23%"> 1946 <col width="17%"> 1947 <tr> 1948 <th>CVE</th> 1949 <th>References</th> 1950 <th>Severity</th> 1951 <th>Updated Nexus devices</th> 1952 <th>Date reported</th> 1953 </tr> 1954 <tr> 1955 <td>CVE-2016-6691</td> 1956 <td><a href="https://source.codeaurora.org/quic/la//platform/frameworks/opt/net/wifi/commit/?id=343f123c396b2a97fc7cce396cd5d99365cb9131">QC-CR#978452</a></td> 1957 <td>High</td> 1958 <td>None</td> 1959 <td>Jul 2016</td> 1960 </tr> 1961 <tr> 1962 <td>CVE-2016-6692</td> 1963 <td><a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=0f0e7047d39f9fb3a1a7f389918ff79cdb4a50b3">QC-CR#1004933</a></td> 1964 <td>High</td> 1965 <td>None</td> 1966 <td>Aug 2016</td> 1967 </tr> 1968 <tr> 1969 <td>CVE-2016-6693</td> 1970 <td><a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=ac328eb631fa74a63d5d2583e6bfeeb5a7a2df65">QC-CR#1027585</a></td> 1971 <td>High</td> 1972 <td>None</td> 1973 <td>Aug 2016</td> 1974 </tr> 1975 <tr> 1976 <td>CVE-2016-6694</td> 1977 <td><a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=961e38553aae8ba9b1af77c7a49acfbb7b0b6f62">QC-CR#1033525</a></td> 1978 <td>High</td> 1979 <td>None</td> 1980 <td>Aug 2016</td> 1981 </tr> 1982 <tr> 1983 <td>CVE-2016-6695</td> 1984 <td><a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=c319c2b0926d1ea5edb4d0778d88bd3ce37c4b95">QC-CR#1033540</a></td> 1985 <td>High</td> 1986 <td>None</td> 1987 <td>Aug 2016</td> 1988 </tr> 1989 <tr> 1990 <td>CVE-2016-6696</td> 1991 <td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c3c9341bfdf93606983f893a086cb33a487306e5">QC-CR#1041130</a></td> 1992 <td>High</td> 1993 <td>None</td> 1994 <td>Aug 2016</td> 1995 </tr> 1996 <tr> 1997 <td>CVE-2016-5344</td> 1998 <td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=64e15c36d6c1c57dc2d95a3f163bc830a469fc20">QC-CR#993650</a></td> 1999 <td>Moderate</td> 2000 <td>None</td> 2001 <td>Aug 2016</td> 2002 </tr> 2003 <tr> 2004 <td>CVE-2016-5343</td> 2005 <td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=6927e2e0af4dcac357be86ba563c9ae12354bb08">QC-CR#1010081</a></td> 2006 <td>Moderate</td> 2007 <td>None</td> 2008 <td>Aug 2016</td> 2009 </tr> 2010 </table> 2011 <h2 id="common-questions-and-answers">Common Questions and Answers</h2> 2012 <p> 2013 This section answers common questions that may occur after reading this 2014 bulletin. 2015 </p> 2016 <p> 2017 <strong>1. How do I determine if my device is updated to address these issues? 2018 </strong> 2019 </p> 2020 <p> 2021 Security Patch Levels of 2016-10-01 or later address all issues associated with 2022 the 2016-10-01 security patch string level. Security Patch Levels of 2016-10-05 2023 or later address all issues associated with the 2016-10-05 security patch string 2024 level. Refer to the <a href="https://support.google.com/nexus/answer/4457705">help center</a> for 2025 instructions on how to check the security patch level. Device manufacturers that 2026 include these updates should set the patch string level to: 2027 [ro.build.version.security_patch]:[2016-10-01] or 2028 [ro.build.version.security_patch]:[2016-10-05]. 2029 </p> 2030 <p> 2031 <strong>2. Why does this bulletin have two security patch level 2032 strings?</strong> 2033 </p> 2034 <p> 2035 This bulletin has two security patch level strings so that Android partners have 2036 the flexibility to fix a subset of vulnerabilities that are similar across all 2037 Android devices more quickly. Android partners are encouraged to fix all issues 2038 in this bulletin and use the latest security patch level string. 2039 </p> 2040 <p> 2041 Devices that use the security patch level of October 5, 2016 or newer must 2042 include all applicable patches in this (and previous) security bulletins. 2043 </p> 2044 <p> 2045 Devices that use the October 1, 2016 security patch level must include all 2046 issues associated with that security patch level, as well as fixes for all 2047 issues reported in previous security bulletins. 2048 </p> 2049 <p> 2050 <strong>3. How do I determine which Nexus devices are affected by each 2051 issue?</strong> 2052 </p> 2053 <p> 2054 In the <a href="#2016-10-01-details">2016-10-01</a> and 2055 <a href="#2016-10-05-details">2016-10-05</a> 2056 security vulnerability details sections, each table has an <em>Updated Nexus 2057 devices</em> column that covers the range of affected Nexus devices updated for 2058 each issue. This column has a few options: 2059 </p> 2060 <ul> 2061 <li><strong>All Nexus devices</strong>: If an issue affects all Nexus devices, 2062 the table will have All Nexus in the <em>Updated Nexus devices</em> column. 2063 All Nexus encapsulates the following <a 2064 href="https://support.google.com/nexus/answer/4457705#nexus_devices">supported 2065 devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, 2066 Android One, Nexus Player and Pixel C.</li> 2067 <li><strong>Some Nexus devices</strong>: If an issue doesnt affect all Nexus 2068 devices, the affected Nexus devices are listed in the <em>Updated Nexus 2069 devices</em> column.</li> 2070 <li><strong>No Nexus devices</strong>: If no Nexus devices running Android 7.0 2071 are affected by the issue, the table will have None in the <em>Updated Nexus 2072 devices</em> column.</li> 2073 </ul> 2074 <p> 2075 <strong>4. What do the entries in the references column map to?</strong> 2076 </p> 2077 <p> 2078 Entries under the <em>References</em> column of the vulnerability details table 2079 may contain a prefix identifying the organization to which the reference value 2080 belongs. These prefixes map as follows: 2081 </p> 2082 <table> 2083 <tr> 2084 <th>Prefix</th> 2085 <th>Reference</th> 2086 </tr> 2087 <tr> 2088 <td>A-</td> 2089 <td>Android bug ID</td> 2090 </tr> 2091 <tr> 2092 <td>QC-</td> 2093 <td>Qualcomm reference number</td> 2094 </tr> 2095 <tr> 2096 <td>M-</td> 2097 <td>MediaTek reference number</td> 2098 </tr> 2099 <tr> 2100 <td>N-</td> 2101 <td>NVIDIA reference number</td> 2102 </tr> 2103 <tr> 2104 <td>B-</td> 2105 <td>Broadcom reference number</td> 2106 </tr> 2107 </table> 2108 2109 <h2 id="revisions">Revisions</h2> 2110 <ul> 2111 <li>October 03, 2016: Bulletin published.</li> 2112 <li>October 04, 2016: Bulletin revised to include AOSP links and update 2113 attributions for CVE-2016-3920, CVE-2016-6693, CVE-2016-6694, 2114 CVE-2016-6695, and CVE-2016-6696.</li> 2115 </ul> 2116 2117 </body> 2118 </html> 2119
