xref: /docs/source.android.com/en/security/bulletin/2016-11-01.html

<html devsite>
  <head>
    <title>Android Security BulletinNovember 2016</title>
    <meta name="project_path" value="/_project.yaml" />
    <meta name="book_path" value="/_book.yaml" />
  </head>
  <body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->


<p><em>Published November 07, 2016 | Updated December 21, 2016</em></p>
<p>
The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Alongside the bulletin, we have released a security
update to Google devices through an over-the-air (OTA) update. The Google device
firmware images have also been released to the
<a href="https://developers.google.com/android/nexus/images">Google Developer
site</a>. Security patch levels of November 06, 2016 or later address all of
these issues. Refer to the
<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
and Nexus update schedule</a> to learn how to check a device's security patch level.</p>
<p>
Partners were notified of the issues described in the bulletin on October 20,
2016 or earlier. Where applicable, source code patches for these issues have
been released to the Android Open Source Project (AOSP) repository. This
bulletin also includes links to patches outside of AOSP.
</p>
<p>
The most severe of these issues is a Critical security vulnerability that could
enable remote code execution on an affected device through multiple methods such
as email, web browsing, and MMS when processing media files. The
<a href="/security/overview/updates-resources.html#severity">severity
assessment</a> is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are disabled for development purposes or if successfully bypassed.</p>
<p>
We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the
<a href="#mitigations">Android and Google service
mitigations</a> section for details on the
<a href="/security/enhancements/index.html">Android
security platform protections</a> and service protections such as
<a href="https://developer.android.com/training/safetynet/index.html">SafetyNet</a>,
which improve the security of the Android platform.</p>
<p>
We encourage all customers to accept these updates to their devices.</p>
<h2 id="announcements">Announcements</h2>
<ul>
 <li>With the introduction of the Pixel and Pixel XL devices, the term for
  <a href="#google-devices">all devices supported by Google</a> is
  "Google devices" instead of "Nexus devices."
 </li>
 <li>This bulletin has three security patch levels to provide Android partners
 with the flexibility to more quickly fix a subset of vulnerabilities that are
 similar across all Android devices. See
 <a href="#common-questions-and-answers">Common questions and answers</a> for
 additional information:
  <ul>
   <li><strong>2016-11-01</strong>: Partial security patch level. This security
   patch level indicates that all issues associated with 2016-11-01 (and all
   previous security patch level) are addressed.</li>
   <li><strong>2016-11-05</strong>: Complete security patch level. This security
   patch level indicates that all issues associated with 2016-11-01 and 2016-11-05
   (and all previous security patch levels) are addressed.</li>
   <li><strong>Supplemental security patch levels</strong>
    <p>Supplemental security patch levels are provided to identify devices
       that contain fixes for issues that were publicly disclosed after the
       patch level was defined. Addressing these recently disclosed
       vulnerabilities is not required until the 2016-12-01 security patch level.
    </p>
    <ul>
     <li><strong>2016-11-06</strong>: This security patch level indicates that the
     device has addressed all issues associated with 2016-11-05 and CVE-2016-5195,
     which was publicly disclosed on October 19, 2016.</li>
    </ul>
   </li>
  </ul>
</li>
<li>Supported Google devices will receive a single OTA update with the November
05, 2016 security patch level.</li>
</ul>

<h2 id="mitigations">Android and Google service
mitigations</h2>
<p>
This is a summary of the mitigations provided by the
<a href="/security/enhancements/index.html">Android
security platform</a> and service protections, such as SafetyNet. These
capabilities reduce the likelihood that security vulnerabilities could be
successfully exploited on Android.</p>
<ul>
  <li>Exploitation for many issues on Android is made more difficult by
  enhancements in newer versions of the Android platform. We encourage all users
  to update to the latest version of Android where possible.</li>
  <li>The Android Security team actively monitors for abuse with
  <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify
  Apps and SafetyNet</a>, which are designed to warn users about
  <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially
  Harmful Applications</a>. Verify Apps is enabled by default on devices with
  <a href="http://www.android.com/gms">Google Mobile Services</a> and is especially
  important for users who install applications from outside of Google Play. Device
  rooting tools are prohibited within Google Play, but Verify Apps warns users
  when they attempt to install a detected rooting applicationno matter where it
  comes from. Additionally, Verify Apps attempts to identify and block
  installation of known malicious applications that exploit a privilege escalation
  vulnerability. If such an application has already been installed, Verify Apps
  will notify the user and attempt to remove the detected application.</li>
  <li>As appropriate, Google Hangouts and Messenger applications do not
  automatically pass media to processes such as Mediaserver.</li>
</ul>
<h2 id="acknowledgements">Acknowledgements</h2>
<p>
We would like to thank these researchers for their contributions:</p>
<ul>
  <li>Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security
  Team: CVE-2016-6722</li>
  <li>Andrei Kapishnikov and Miriam Gershenson of Google: CVE-2016-6703</li>
  <li>Ao Wang (<a href="https://twitter.com/ArayzSegment">@ArayzSegment</a>) and
     <a href="http://weibo.com/ele7enxxh">Zinuo Han</a> of
     <a href="http://www.pkav.net">PKAV</a>, Silence Information Technology:
  CVE-2016-6700, CVE-2016-6702</li>
  <li>Askyshang of Security Platform Department, Tencent: CVE-2016-6713</li>
  <li>Billy Lau of Android Security: CVE-2016-6737</li>
  <li><a href="mailto:kpatsak (a] unipi.gr">Constantinos Patsakis</a> and
      <a href="mailto:talepis (a] unipi.gr">Efthimios Alepis</a> of University of Piraeus:
  CVE-2016-6715</li>
  <li>dragonltx of Alibaba mobile security team: CVE-2016-6714</li>
  <li>Gal Beniamini of Project Zero: CVE-2016-6707, CVE-2016-6717</li>
  <li>Gengjia Chen (<a href="http://twitter.com/chengjia4574">@chengjia4574</a>)
  and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab,
<a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>.: CVE-2016-6725,
  CVE-2016-6738, CVE-2016-6740, CVE-2016-6741, CVE-2016-6742, CVE-2016-6744,
  CVE-2016-6745, CVE-2016-3906</li>
  <li>Guang Gong () (<a href="http://twitter.com/oldfresher">@oldfresher</a>) of
  Alpha Team, <a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>.:
  CVE-2016-6754</li>
  <li>Jianqiang Zhao (<a
  href="http://twitter.com/jianqiangzhao">@jianqiangzhao</a>) and
<a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab,
<a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>.: CVE-2016-6739,
  CVE-2016-3904, CVE-2016-3907, CVE-2016-6698</li>
  <li>Marco Grassi (<a href="http://twitter.com/marcograss">@marcograss</a>) of
  Keen Lab of Tencent (<a href="http://twitter.com/keen_lab">@keen_lab</a>):
  CVE-2016-6828</li>
  <li>Mark Brand of Project Zero: CVE-2016-6706</li>
  <li>Mark Renouf of Google: CVE-2016-6724</li>
  <li>Micha Bednarski (<a
  href="https://github.com/michalbednarski">github.com/michalbednarski</a>):
  CVE-2016-6710</li>
  <li>Min Chong of Android Security: CVE-2016-6743</li>
  <li>Peter Pi (<a href="http://twitter.com/heisecode">@heisecode</a>) of Trend
  Micro: CVE-2016-6721</li>
  <li>Qidan He () (<a href="http://twitter.com/flanker_hqd">@flanker_hqd</a>)
  and Gengming Liu () (<a href="http://twitter.com/dmxcsnsbh">@dmxcsnsbh</a>)
  of KeenLab, Tencent: CVE-2016-6705</li>
  <li>Robin Lee of Google: CVE-2016-6708</li>
  <li><a href="mailto:sbauer (a] plzdonthack.me">Scott Bauer</a> (<a
  href="http://twitter.com/ScottyBauer1">@ScottyBauer1</a>): CVE-2016-6751</li>
  <li>Sergey Bobrov (<a href="http://twitter.com/Black2Fan">@Black2Fan</a>) of
  Kaspersky Lab: CVE-2016-6716</li>
  <li>Seven Shen (<a href="http://twitter.com/lingtongshen">@lingtongshen</a>) of
  Trend Micro Mobile Threat Research Team: CVE-2016-6748, CVE-2016-6749,
  CVE-2016-6750, CVE-2016-6753</li>
  <li>Victor van der Veen, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida of
  Vrije Universiteit Amsterdam and Yanick Fratantonio, Martina Lindorfer, and
  Giovanni Vigna of University of California, Santa Barbara: CVE-2016-6728</li>
  <li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of
  Alibaba Inc: CVE-2016-6712, CVE-2016-6699, CVE-2016-6711</li>
  <li>Wenke Dou (<a
  href="mailto:vancouverdou (a] gmail.com">vancouverdou (a] gmail.com</a>), Chiachih Wu
  (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang
  of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6720</li>
  <li>Wish Wu () (<a href="http://twitter.com/wish_wu">@wish_wu</a>) of Trend
  Micro Inc.: CVE-2016-6704</li>
  <li>Yakov Shafranovich of
<a href="https://wwws.nightwatchcybersecurity.com">Nightwatch Cybersecurity</a>:
  CVE-2016-6723</li>
  <li><a href="mailto:computernik (a] gmail.com">Yuan-Tsung Lo</a>,
<a href="mailto:yaojun8558363 (a] gmail.com">Yao Jun</a>,
<a href="mailto:segfault5514 (a] gmail.com">Tong Lin</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of
<a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6730, CVE-2016-6732,
  CVE-2016-6734, CVE-2016-6736</li>
  <li><a href="mailto:computernik (a] gmail.com">Yuan-Tsung Lo</a>,
<a href="mailto:yaojun8558363 (a] gmail.com">Yao Jun</a>,
<a href="mailto:wisedd (a] gmail.com">Xiaodong Wang</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of
<a href="http://c0reteam.org">C0RE Team</a>:  CVE-2016-6731, CVE-2016-6733,
  CVE-2016-6735, CVE-2016-6746</li>
</ul>
<p>
Additional thanks to Zach Riggle of Android Security for his contributions
to several issues in this bulletin.</p>

<h2 id="2016-11-01-details">2016-11-01 security patch levelVulnerability details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2016-11-01 patch level. There is a description of
the issue, a severity rationale, and a table with the CVE, associated
references, severity, updated Google devices, updated AOSP versions (where
applicable), and date reported. When available, we will link the public change
that addressed the issue to the bug ID, like the AOSP change list. When multiple
changes relate to a single bug, additional references are linked to numbers
following the bug ID.</p>

<h3 id="rce-in-mediaserver">Remote code execution vulnerability in Mediaserver</h3>
<p>
A remote code execution vulnerability in Mediaserver could enable an attacker
using a specially crafted file to cause memory corruption during media file and
data processing. This issue is rated as Critical due to the possibility of
remote code execution within the context of the Mediaserver process.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6699</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/3b1c9f692c4d4b7a683c2b358fc89e831a641b88">
       A-31373622</a></td>
   <td>Critical</td>
   <td>All</td>
   <td>7.0</td>
   <td>Jul 27, 2016</td>
  </tr>
</table>
<h3 id="eop-in-libzipfile">Elevation of privilege vulnerability in libzipfile</h3>
<p>
An elevation of privilege vulnerability in libzipfile could enable a local
malicious application to execute arbitrary code within the context of a
privileged process. This issue is rated as Critical due to the possibility of a
local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6700</td>
   <td>A-30916186</td>
   <td>Critical</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1</td>
   <td>Aug 17, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3 id="rce-in-skia">Remote code execution vulnerability in Skia</h3>
<p>
A remote code execution vulnerability in libskia could enable an attacker using
a specially crafted file to cause memory corruption during media file and data
processing. This issue is rated as High due to the possibility of remote code
execution within the context of the gallery process.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6701</td>
   <td><a href="https://android.googlesource.com/platform/external/skia/+/aca73722873e908633ff27375f6f93a08cbb7dd3">
       A-30190637</a></td>
   <td>High</td>
   <td>All</td>
   <td>7.0</td>
   <td>Google internal</td>
  </tr>
</table>
<h3 id="rce-in-libjpeg">Remote code execution vulnerability in libjpeg</h3>
<p>
A remote code execution vulnerability in libjpeg could enable an attacker using
a specially crafted file to execute arbitrary code in the context of an
unprivileged process. This issue is rated as High due to the possibility of
remote code execution in an application that uses libjpeg.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6702</td>
   <td>A-30259087</td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1</td>
   <td>Jul 19, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3 id="rce-in-android-runtime">Remote code execution vulnerability in Android runtime</h3>
<p>
A remote code execution vulnerability in an Android runtime library could enable
an attacker using a specially crafted payload to execute arbitrary code in the
context of an unprivileged process. This issue is rated as High due to the
possibility of remote code execution in an application that uses the Android
runtime.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6703</td>
   <td>A-30765246</td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Google internal</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3 id="eop-in-mediaserver">Elevation of privilege vulnerability in Mediaserver</h3>
<p>
An elevation of privilege vulnerability in Mediaserver could enable a local
malicious application to execute arbitrary code within the context of a
privileged process. This issue is rated as High because it could be used to gain
local access to elevated capabilities, which are not normally accessible to a
third-party application.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6704</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c6c446f9e022adf20064e65a17574804f8af8e7d">
       A-30229821</a>
     [<a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/9cb9810ecb63c8ff55ecf4bc77431dc5b0688b5f">2</a>]
     [<a href="https://android.googlesource.com/platform/system/media/+/a6274f03b4dfe1c3a22af51e3a17ea56a314e747">3</a>]
   </td>
   <td>High</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Jul 19, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6705</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/3a03fa24d21f97e84e796ac5ef14b3f434c0e8f1">
       A-30907212</a>
      [<a href="https://android.googlesource.com/platform/frameworks/av/+/bd04b47d38a89f1dada1c6da2ef4a3d235c166b8">2</a>]
   </td>
   <td>High</td>
   <td>All</td>
   <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Aug 16, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6706</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/1d4feebdb85db46e138530f360d9ff2490e14353">
       A-31385713</a>
   </td>
   <td>High</td>
   <td>All</td>
   <td>7.0</td>
   <td>Sep 8, 2016</td>
  </tr>
</table>
<h3 id="eop-in-system-server">Elevation of privilege vulnerability in System Server</h3>
<p>
An elevation of privilege vulnerability in System Server could enable a local
malicious application to execute arbitrary code within the context of a
privileged process. This issue is rated as High because it could be used to gain
local access to elevated capabilities, which are not normally accessible to a
third-party application.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6707</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/base/+/16024ea7c4bae08c972cf6b3734029aad33e8870">
       A-31350622</a>
   </td>
   <td>High</td>
   <td>All</td>
   <td>6.0, 6.0.1, 7.0</td>
   <td>Sep 7, 2016</td>
  </tr>
</table>
<h3 id="eop-in-system-ui">Elevation of privilege vulnerability in System UI</h3>
<p>
An elevation of privilege in the System UI could enable a local malicious user
to bypass the security prompt of a work profile in Multi-Window mode. This
issue is rated as High because it is a local bypass of user interaction
requirements for any developer or security setting modifications.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6708</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/base/+/c9c73fde339b4db496f2c1ff8c18df1e9db5a7c1">
       A-30693465</a>
   </td>
   <td>High</td>
   <td>All</td>
   <td>7.0</td>
   <td>Google internal</td>
  </tr>
</table>
<h3 id="id-in-conscrypt">Information disclosure vulnerability in Conscrypt</h3>
<p>
An information disclosure vulnerability in Conscrypt could enable
an attacker to gain access to sensitive information if a
legacy encryption API is used by an application. This issue is rated as High
because it could be used to access data without permission.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6709</td>
   <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/44ef9535b9afb123d150d8e0362e4bb50794dd41">
       A-31081987</a>
   </td>
   <td>High</td>
   <td>All</td>
   <td>6.0, 6.0.1, 7.0</td>
   <td>Oct 9, 2015</td>
  </tr>
</table>
<h3 id="id-in-download-manager">Information disclosure vulnerability in download
manager</h3>
<p>
An information disclosure vulnerability in the download manager could enable a
local malicious application to bypass operating system protections that isolate
application data from other applications. This issue is rated as High because it
could be used to gain access to data that the application does not have access
to.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6710</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/base/+/9fab683c9598d234dd8461335c276ed3e37c91e8">
       A-30537115</a>
      [<a href="https://android.googlesource.com/platform/packages/providers/DownloadProvider/+/243e62949f7208d3b82eda3ee4ec22d3dbc1fb19">2</a>]
   </td>
   <td>High</td>
   <td>All</td>
   <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Jul 30, 2016</td>
  </tr>
</table>
<h3 id="dos-in-bluetooth">Denial of service
vulnerability in Bluetooth</h3>
<p>
A denial of service vulnerability in Bluetooth could enable a proximate attacker
to block Bluetooth access to an affected device. This issue is rated as High due
to the possibility of remote denial of service.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2014-9908</td>
   <td>A-28672558</td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1</td>
   <td>May 5, 2014</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3 id="dos-in-openjdk">Denial of service
vulnerability in OpenJDK</h3>
<p>
A remote denial of service vulnerability in OpenJDK could enable an attacker to
use a specially crafted file to cause a device hang or reboot. This issue is
rated as High due to the possibility of remote denial of service.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2015-0410</td>
   <td><a href="https://android.googlesource.com/platform/libcore/+/21098574528bdf99dd50a74a60e161573e999108">
       A-30703445</a>
   </td>
   <td>High</td>
   <td>All</td>
   <td>7.0</td>
   <td>Jan 16, 2015</td>
  </tr>
</table>
<h3 id="dos-in-mediaserver">Denial of service
vulnerability in Mediaserver</h3>
<p>
A remote denial of service vulnerability in Mediaserver could enable an attacker
to use a specially crafted file to cause a device hang or reboot. This issue is
rated as High due to the possibility of remote denial of service.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6711</td>
   <td><a href="https://android.googlesource.com/platform/external/libvpx/+/063be1485e0099bc81ace3a08b0ec9186dcad693">
       A-30593765</a>
   </td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Aug 1, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6712</td>
   <td><a href="https://android.googlesource.com/platform/external/libvpx/+/fdb1b40e7bb147c07bda988c9501ad223795d12d">
       A-30593752</a>
   </td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Aug 1, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6713</td>
   <td><a href="https://android.googlesource.com/platform/external/libavc/+/8cafca0e8b1ed8125918e203118c5a4e612fd56c">
       A-30822755</a></td>
   <td>High</td>
   <td>All</td>
   <td>6.0, 6.0.1, 7.0</td>
   <td>Aug 11, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6714</td>
   <td><a href="https://android.googlesource.com/platform/external/libavc/+/5bdb0a6b72782e505671a387bb5f83222d891d6a">
       A-31092462</a>
   </td>
   <td>High</td>
   <td>All</td>
   <td>6.0, 6.0.1, 7.0</td>
   <td>Aug 22, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3 id="eop-in-framework-apis">Elevation of
privilege vulnerability in Framework APIs</h3>
<p>
An elevation of privilege vulnerability in the Framework APIs could allow a
local malicious application to record audio without the user's permission. This
issue is rated as Moderate because it is a local bypass of user interaction
requirements (access to functionality that would normally require either user
initiation or user permission).
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6715</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/base/+/3de09838fb0996bb4b420630800ad34e828fd1b6">
       A-29833954</a>
   </td>
   <td>Moderate</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Jun 28, 2016</td>
  </tr>
</table>
<h3 id="eop-in-aosp-launcher">Elevation of
privilege vulnerability in AOSP Launcher</h3>
<p>
An elevation of privilege vulnerability in the AOSP Launcher could allow a local
malicious application to create shortcuts that have elevated privileges without
the user's consent. This issue is rated as Moderate because it is a local bypass
of user interaction requirements (access to functionality that would normally
require either user initiation or user permission).
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6716</td>
   <td><a href="https://android.googlesource.com/platform/packages/apps/Launcher3/+/e83fc11c982e67dd0181966f5f3a239ea6b14924">
       A-30778130</a>
   </td>
   <td>Moderate</td>
   <td>All</td>
   <td>7.0</td>
   <td>Aug 5, 2016</td>
  </tr>
</table>
<h3 id="eop-in-mediaserver-1">Elevation of
privilege vulnerability in Mediaserver</h3>
<p>
An elevation of privilege vulnerability in Mediaserver could enable a local
malicious application to execute arbitrary code within the context of a
privileged process. This issue is rated as Moderate because it first requires
exploitation of a separate vulnerability.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6717</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/45d9bbabbe7920bf4e0a68074b97d8260aef2e07">
       A-31350239</a>
   </td>
   <td>Moderate</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Sep 7, 2016</td>
  </tr>
</table>
<h3
id="eop-in-account-manager-service">Elevation
of privilege vulnerability in Account Manager Service</h3>
<p>
An elevation of privilege vulnerability in the Account Manager Service could
enable a local malicious application to retrieve sensitive information without
user interaction. This issue is rated as Moderate because it is a local bypass
of user interaction requirements (access to functionality that would normally
require either user initiation or user permission.)
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6718</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/base/+/fecfd550edeca422c0d9f32a9c0abe73398a1ff1">
       A-30455516</a>
   </td>
   <td>Moderate</td>
   <td>All</td>
   <td>7.0</td>
   <td>Google internal</td>
  </tr>
</table>
<h3 id="eop-in-bluetooth">Elevation of
privilege vulnerability in Bluetooth</h3>
<p>
An elevation of privilege vulnerability in the Bluetooth component could enable
a local malicious application to pair with any Bluetooth device without user
consent. This issue is rated as Moderate because it is a local bypass of user
interaction requirements (access to functionality that would normally require
either user initiation or user permission).
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6719</td>
   <td><a href="https://android.googlesource.com/platform/packages/apps/Bluetooth/+/e1b6db10e913c09d0b695368336137f6aabee462">
       A-29043989</a>
      [<a href="https://android.googlesource.com/platform/frameworks/base/+/b1dc1757071ba46ee653d68f331486e86778b8e4">2</a>]
   </td>
   <td>Moderate</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Google internal</td>
  </tr>
</table>
<h3 id="id-in-mediaserver">Information
disclosure vulnerability in Mediaserver</h3>
<p>
An information disclosure vulnerability in Mediaserver could enable a local
malicious application to access data outside of its permission levels. This
issue is rated as Moderate because it could be used to access sensitive data
without permission.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6720</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/0f177948ae2640bfe4d70f8e4248e106406b3b0a">
       A-29422020</a>
      [<a href="https://android.googlesource.com/platform/frameworks/av/+/2c75e1c3b98e4e94f50c63e2b7694be5f948477c">2</a>]
      [<a href="https://android.googlesource.com/platform/frameworks/av/+/7c88b498fda1c2b608a9dd73960a2fd4d7b7e3f7">3</a>]
      [<a href="https://android.googlesource.com/platform/frameworks/av/+/640b04121d7cd2cac90e2f7c82b97fce05f074a5">4</a>]</td>
   <td>Moderate</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Jun 15, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6721</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f6bf0102bdc1adff973e08d8ce9c869c4e2efade">
       A-30875060</a></td>
   <td>Moderate</td>
   <td>All</td>
   <td>6.0, 6.0.1, 7.0</td>
   <td>Aug 13, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6722</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/89c03b3b9ff74a507a8b8334c50b08b334483556">
       A-31091777</a></td>
   <td>Moderate</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Aug 23, 2016</td>
  </tr>
</table>
<h3 id="dos-in-proxy-auto-config">Denial of service
vulnerability in Proxy Auto Config</h3>
<p>
A denial of service vulnerability in Proxy Auto Config could enable a remote
attacker to use a specially crafted file to cause a device hang or reboot. This
issue is rated as Moderate because it requires an uncommon device configuration.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6723</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/base/+/d5b0d0b1df2e1a7943a4bb2034fd21487edd0264">
       A-30100884</a>
      [<a href="https://android.googlesource.com/platform/frameworks/base/+/31f351160cdfd9dbe9919682ebe41bde3bcf91c6">2</a>]
   </td>
   <td>Moderate</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Jul 11, 2016</td>
  </tr>
</table>
<h3 id="dos-in-input-manager-service">Denial of
service vulnerability in Input Manager Service</h3>
<p>
A denial of service vulnerability in the Input Manager Service could enable a
local malicious application to cause the device to continually reboot. This
issue is rated as Moderate because it is a temporary denial of service that
requires a factory reset to fix.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6724</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/base/+/7625010a2d22f8c3f1aeae2ef88dde37cbebd0bf">
       A-30568284</a>
   </td>
   <td>Moderate</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Google internal</td>
  </tr>
</table>
<h2 id="2016-11-05-details">2016-11-05 security patch levelVulnerability details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2016-11-05 patch level. There is a description of
the issue, a severity rationale, and a table with the CVE, associated
references, severity, updated Google devices, updated AOSP versions (where
applicable), and date reported. When available, we will link the public change
that addressed the issue to the bug ID, like the AOSP change list. When multiple
changes relate to a single bug, additional references are linked to numbers
following the bug ID.
</p>
<h3 id="rce-in-qualcomm-crypto-driver">Remote
code execution vulnerability in Qualcomm crypto driver</h3>
<p>
A remote code execution vulnerability in the Qualcomm crypto driver could enable
a remote attacker to execute arbitrary code within the context of the kernel.
This issue is rated as Critical due to the possibility of remote code execution
in the context of the kernel.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6725</td>
   <td>A-30515053<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=cc95d644ee8a043f2883d65dda20e16f95041de3">QC-CR#1050970</a></td>
   <td>Critical</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Jul 25, 2016</td>
  </tr>
</table>
<h3 id="eop-in-kernel-file-system">Elevation of
privilege vulnerability in kernel file system</h3>
<p>
An elevation of privilege vulnerability in the kernel file system could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2015-8961</td>
   <td>A-30952474
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6934da9238da947628be83635e365df41064b09b">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Pixel, Pixel XL</td>
   <td>Oct 18, 2015</td>
  </tr>
  <tr>
   <td>CVE-2016-7911</td>
   <td>A-30946378
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8ba8682107ee2ca3347354e018865d8e1967c5f4">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>Jul 01, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-7910</td>
   <td>A-30942273
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=77da160530dd1dc94f6ae15a981f24e5f0021e84">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>Jul 29, 2016</td>
  </tr>
</table>
<h3 id="eop-in-kernel-scsi-driver">Elevation of
privilege vulnerability in kernel SCSI driver</h3>
<p>
An elevation of privilege vulnerability in the kernel SCSI driver could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2015-8962</td>
   <td>A-30951599
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3951a3709ff50990bf3e188c27d346792103432">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Pixel, Pixel XL</td>
   <td>Oct 30, 2015</td>
  </tr>
</table>
<h3 id="eop-in-kernel-media-driver">Elevation
of privilege vulnerability in kernel media driver</h3>
<p>
An elevation of privilege vulnerability in the kernel media driver could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-7913</td>
   <td>A-30946097
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8dfbcc4351a0b6d2f2d77f367552f48ffefafe18">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Nexus 6P, Android One, Nexus Player, Pixel, Pixel XL</td>
   <td>Jan 28, 2016</td>
  </tr>
</table>
<h3 id="eop-in-kernel-usb-driver">Elevation of
privilege vulnerability in kernel USB driver</h3>
<p>
An elevation of privilege vulnerability in the kernel USB driver could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-7912</td>
   <td>A-30950866
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=38740a5b87d53ceb89eb2c970150f6e94e00373a">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Pixel C, Pixel, Pixel XL</td>
   <td>Apr 14, 2016</td>
  </tr>
</table>
<h3 id="eop-in-kernel-ion-subsystem">Elevation
of privilege vulnerability in kernel ION subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel ION subsystem could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6728</td>
   <td>A-30400942*</td>
   <td>Critical</td>
   <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
Android One</td>
   <td>Jul 25, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="eop-in-qualcomm-bootloader">Elevation
of privilege vulnerability in Qualcomm bootloader</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm bootloader could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6729</td>
   <td>A-30977990*
<br>
QC-CR#977684</td>
   <td>Critical</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Jul 25, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="eop-in-nvidia-gpu-driver">Elevation of
privilege vulnerability in NVIDIA GPU driver</h3>
<p>
An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6730</td>
   <td>A-30904789*<br>
       N-CVE-2016-6730</td>
   <td>Critical</td>
   <td>Pixel C</td>
   <td>Aug 16, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6731</td>
   <td>A-30906023*<br>
       N-CVE-2016-6731</td>
   <td>Critical</td>
   <td>Pixel C</td>
   <td>Aug 16, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6732</td>
   <td>A-30906599*<br>
       N-CVE-2016-6732</td>
   <td>Critical</td>
   <td>Pixel C</td>
   <td>Aug 16, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6733</td>
   <td>A-30906694*<br>
       N-CVE-2016-6733</td>
   <td>Critical</td>
   <td>Pixel C</td>
   <td>Aug 16, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6734</td>
   <td>A-30907120*<br>
       N-CVE-2016-6734</td>
   <td>Critical</td>
   <td>Pixel C</td>
   <td>Aug 16, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6735</td>
   <td>A-30907701*<br>
       N-CVE-2016-6735</td>
   <td>Critical</td>
   <td>Pixel C</td>
   <td>Aug 16, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6736</td>
   <td>A-30953284*<br>
       N-CVE-2016-6736</td>
   <td>Critical</td>
   <td>Pixel C</td>
   <td>Aug 18, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3
id="eop-in-kernel-networking-subsystem">Elevation
of privilege vulnerability in kernel networking subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel networking subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility of
a local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6828</td>
   <td>A-31183296
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/include/net/tcp.h?id=bb1fceca22492109be12640d49f5ea5a544c6bb4">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>Aug 18, 2016</td>
  </tr>
</table>
<h3
id="eop-in-kernel-sound-subsystem">Elevation of
privilege vulnerability in kernel sound subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel sound subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility of
a local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-2184</td>
   <td>A-30952477
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=836b34a935abc91e13e63053d0a83b24dfb5ea78">Upstream
kernel</a></td>
   <td>Critical</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>Mar 31, 2016</td>
  </tr>
</table>
<h3 id="eop-in-kernel-ion-subsystem-1">Elevation
of privilege vulnerability in kernel ION subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel ION subsystem could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6737</td>
   <td>A-30928456*</td>
   <td>Critical</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel C, Nexus Player, Pixel,
Pixel XL</td>
   <td>Google internal</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="vulnerabilities-in-qualcomm-components">Vulnerabilities in Qualcomm
components</h3>
<p>
The table below contains security vulnerabilities affecting Qualcomm components
and are described in further detail in Qualcomm AMSS June 2016 security
bulletin and Security Alert 80-NV606-17.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity*</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6727</td>
   <td>A-31092400**</td>
   <td>Critical</td>
   <td>Android One</td>
   <td>Qualcomm internal</td>
  </tr>
  <tr>
   <td>CVE-2016-6726</td>
   <td>A-30775830**</td>
   <td>High</td>
   <td>Nexus 6, Android One</td>
   <td>Qualcomm internal</td>
  </tr>
</table>
<p>* The severity rating for these vulnerabilities was determined by the vendor.</p>
<p>
** The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="rce-in-expat">Remote code execution
vulnerability in Expat</h3>
<p>
The table below contains security vulnerabilities affecting the Expat library.
The most severe of these issues is an elevation of privilege vulnerability in
the Expat XML parser, which could enable an attacker using a specially crafted
file to execute arbitrary code in an unprivileged process. This issue is rated
as High due to the possibility of arbitrary code execution in an application
that uses Expat.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>

  <tr>
   <td>CVE-2016-0718</td>
   <td><a href="https://android.googlesource.com/platform/external/expat/+/52ac633b73856ded34b33bd4adb4ab793bbbe963">
       A-28698301</a></td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>May 10, 2016</td>
  </tr>
  <tr>
   <td>CVE-2012-6702</td>
   <td><a href="https://android.googlesource.com/platform/external/expat/+/a11ff32280a863bff93df13ad643912ad9bf1302">
       A-29149404</a></td>
   <td>Moderate</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Mar 06, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-5300</td>
   <td><a href="https://android.googlesource.com/platform/external/expat/+/a11ff32280a863bff93df13ad643912ad9bf1302">
       A-29149404</a></td>
   <td>Moderate</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Jun 04, 2016</td>
  </tr>
  <tr>
   <td>CVE-2015-1283</td>
   <td><a href="https://android.googlesource.com/platform/external/expat/+/13b40c2040a17038b63a61e2b112c634da203d3b"> 
       A-27818751</a></td>
   <td>Low</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Jul 24, 2015</td>
  </tr>
</table>

<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3 id="rce-in-webview">Remote code execution vulnerability in Webview</h3>
<p>
A remote code execution vulnerability in Webview could enable a remote attacker
to execute arbitrary code when the user is navigating to a website. This issue
is rated as High due to the possibility of remote code execution in an
unprivileged process.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6754</td>
   <td>A-31217937</td>
   <td>High</td>
   <td>None*</td>
   <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Aug 23, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3 id="rce-in-freetype">Remote code execution
vulnerability in Freetype</h3>
<p>
A remote code execution vulnerability in Freetype could enable a local malicious
application to load a specially crafted font to cause memory corruption in an
unprivileged process. This issue is rated as High due to the possibility of
remote code execution in applications that use Freetype.
</p>
<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2014-9675</td>
   <td><a href="https://android.googlesource.com/platform/external/freetype/+/f720f0dbcf012d6c984dbbefa0875ef9840458c6">
       A-24296662</a>
      [<a href="https://android.googlesource.com/platform/external/pdfium/+/96f965ff7411f1edba72140fd70740e63cabec71">2</a>]
   </td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
   <td>Google internal</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>
<h3
id="eop-in-kernel-performance-subsystem">Elevation
of privilege vulnerability in kernel performance subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel performance subsystem
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2015-8963</td>
   <td>A-30952077
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=12ca6ad2e3a896256f086497a7c7406a547ee373">Upstream
kernel</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>Dec 15, 2015</td>
  </tr>
</table>
<h3
id="eop-in-kernel-system-call-auditing-subsystem">Elevation
of privilege vulnerability in kernel system-call auditing subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel system-call auditing
subsystem could enable a local malicious application to disrupt system-call
auditing in the kernel. This issue is rated as High because it is a general
bypass for a kernel-level defense in depth or exploit mitigation technology.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6136</td>
   <td>A-30956807
<br>
<a
href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c">Upstream
kernel</a></td>
   <td>High</td>
   <td>Android One, Pixel C, Nexus Player</td>
   <td>Jul 1, 2016</td>
  </tr>
</table>
<h3
id="eop-in-qualcomm-crypto-engine-driver">Elevation
of privilege vulnerability in Qualcomm crypto engine driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm crypto engine driver
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6738</td>
   <td>A-30034511
<br>
<a
href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a829c54236b455885c3e9c7c77ac528b62045e79">QC-CR#1050538</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Jul 7, 2016</td>
  </tr>
</table>
<h3
id="eop-in-qualcomm-camera-driver">Elevation of
privilege vulnerability in Qualcomm camera driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm camera driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6739</td>
   <td>A-30074605*<br>
       QC-CR#1049826</td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
   <td>Jul 11, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6740</td>
   <td>A-30143904
<br>
<a
href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=ef78bd62f0c064ae4c827e158d828b2c110ebcdc">QC-CR#1056307</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Jul 12, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6741</td>
   <td>A-30559423
<br>
<a
href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=d291eebd8e43bba3229ae7ef9146a132894dc293">QC-CR#1060554</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Jul 28, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="eop-in-qualcomm-bus-driver">Elevation
of privilege vulnerability in Qualcomm bus driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm bus driver could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as High because it first requires compromising a
privileged process.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-3904</td>
   <td>A-30311977
<br>
<a
href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=069683407ca9a820d05c914b57c587bcd3f16a3a">QC-CR#1050455</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
   <td>Jul 22, 2016</td>
  </tr>
</table>
<h3
id="eop-in-synaptics-touchscreen-driver">Elevation
of privilege vulnerability in Synaptics touchscreen driver</h3>
<p>
An elevation of privilege vulnerability in the Synaptics touchscreen driver
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6742</td>
   <td>A-30799828*</td>
   <td>High</td>
   <td>Nexus 5X, Android One</td>
   <td>Aug 9, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6744</td>
   <td>A-30970485*</td>
   <td>High</td>
   <td>Nexus 5X</td>
   <td>Aug 19, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6745</td>
   <td>A-31252388*</td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL</td>
   <td>Sep 1, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6743</td>
   <td>A-30937462*</td>
   <td>High</td>
   <td>Nexus 9, Android One</td>
   <td>Google internal</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="id-in-kernel-components">Information
disclosure vulnerability in kernel components</h3>
<p>
An information disclosure vulnerability in kernel components, including the
human interface device driver, file system, and Teletype driver, could enable a
local malicious application to access data outside of its permission levels.
This issue is rated as High because it could be used to access sensitive data
without explicit user permission.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2015-8964</td>
   <td>A-30951112
<br>
<a
href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=dd42bf1197144ede075a9d4793123f7689e164bc">Upstream
kernel</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>Nov 27, 2015</td>
  </tr>
  <tr>
   <td>CVE-2016-7915</td>
   <td>A-30951261
<br>
<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=50220dead1650609206efe91f0cc116132d59b3f">Upstream
kernel</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>Jan 19, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-7914</td>
   <td>A-30513364
<br>
<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2">Upstream
kernel</a></td>
   <td>High</td>
   <td>Pixel C, Pixel, Pixel XL</td>
   <td>Apr 06, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-7916</td>
   <td>A-30951939
<br>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8148a73c9901a8794a50f950083c00ccf97d43b3">Upstream
kernel</a></td>
   <td>High</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
Pixel, Pixel XL</td>
   <td>May 05, 2016</td>
  </tr>
</table>
<h3 id="id-in-nvidia-gpu-driver">Information
disclosure vulnerability in NVIDIA GPU driver</h3>
<p>
An information disclosure vulnerability in the NVIDIA GPU driver could enable a
local malicious application to access data outside of its permission levels.
This issue is rated as High because it could be used to access sensitive data
without explicit user permission.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6746</td>
   <td>A-30955105*<br>
       N-CVE-2016-6746</td>
   <td>High</td>
   <td>Pixel C</td>
   <td>Aug 18, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="dos-in-mediaserver-1">Denial of service vulnerability in Mediaserver</h3>
<p>
A denial of service vulnerability in Mediaserver could enable an attacker to use
a specially crafted file to cause a device hang or reboot. This issue is rated
as High due to the possibility of remote denial of service.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6747</td>
   <td>A-31244612*<br>
       N-CVE-2016-6747</td>
   <td>High</td>
   <td>Nexus 9</td>
   <td>Google internal</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="id-in-kernel-components-1">Information disclosure vulnerability in
kernel components</h3>
<p>
An information disclosure vulnerability in kernel components, including the
process-grouping subsystem and the networking subsystem, could enable a local
malicious application to access data outside of its permission levels. This
issue is rated as Moderate because it first requires compromising a privileged
process.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-7917</td>
   <td>A-30947055
<br>
<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c58d6c93680f28ac58984af61d0a7ebf4319c241">Upstream
kernel</a></td>
   <td>Moderate</td>
   <td>Pixel C, Pixel, Pixel XL</td>
   <td>Feb 02, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6753</td>
   <td>A-30149174*</td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel C, Nexus Player, Pixel, Pixel
XL</td>
   <td>Jul 13, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3 id="id-in-qualcomm-components">Information
disclosure vulnerability in Qualcomm components</h3>
<p>
An information disclosure vulnerability in Qualcomm components including the GPU
driver, power driver, SMSM Point-to-Point driver, and sound driver, could enable
a local malicious application to access data outside of its permission levels.
This issue is rated as Moderate because it first requires compromising a
privileged process.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6748</td>
   <td>A-30076504
<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=be651d020b122a1ba9410d23ca4ebbe9f5598df6">QC-CR#987018</a></td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Jul 12, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6749</td>
   <td>A-30228438
<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f9185dc83b92e7d1ee341e32e8cf5ed00a7253a7">QC-CR#1052818</a></td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
   <td>Jul 12, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6750</td>
   <td>A-30312054
<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=34bda711a1c7bc7f9fd7bea3a5be439ed00577e5">QC-CR#1052825</a></td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Jul 21, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-3906</td>
   <td>A-30445973
<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=b333d32745fec4fb1098ee1a03d4425f3c1b4c2e">QC-CR#1054344</a></td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6P</td>
   <td>Jul 27, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-3907</td>
   <td>A-30593266
<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=744330f4e5d70dce71c4c9e03c5b6a8b59bb0cda">QC-CR#1054352</a></td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
   <td>Aug 2, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6698</td>
   <td>A-30741851
<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=de90beb76ad0b80da821c3b857dd30cd36319e61">QC-CR#1058826</a></td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Aug 2, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6751</td>
   <td>A-30902162*<br>
       QC-CR#1062271</td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Aug 15, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6752</td>
   <td>A-31498159
<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?h=0de2c7600c8f1f0152a2f421c6593f931186400a">QC-CR#987051</a></td>
   <td>Moderate</td>
   <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
   <td>Google internal</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h2 id="2016-11-06-details">2016-11-06 security patch levelVulnerability details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities listed in the
<a href="#2016-11-06-summary">2016-11-06 security patch levelVulnerability
summary</a> above. There is a description of
the issue, a severity rationale, and a table with the CVE, associated
references, severity, updated Google devices, updated AOSP versions (where
applicable), and date reported. When available, we will link the public change
that addressed the issue to the bug ID, like the AOSP change list. When multiple
changes relate to a single bug, additional references are linked to numbers
following the bug ID.
</p>
<h3
id="eop-in-kernel-memory-subsystem">Elevation
of privilege vulnerability in kernel memory subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel memory subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility of
a local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<p>
<strong>Note:</strong> A security patch level of 2016-11-06 indicates that this
issue, as well as all issues associated with 2016-11-01 and 2016-11-05 are
addressed.
</p>
<table>
  <tr>
   <th>CVE</th>
   <th>References</th>
   <th>Severity</th>
   <th>Updated kernel versions</th>
   <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-5195</td>
   <td>A-32141528<br>
<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=9691eac5593ff1e2f82391ad327f21d90322aec1">Upstream kernel</a>
[<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=e45a502bdeae5a075257c4f061d1ff4ff0821354">2</a>]</td>
   <td>Critical</td>
   <td>3.10, 3.18</td>
   <td>Oct 12, 2016</td>
  </tr>
</table>
<h2 id="common-questions-and-answers">Common Questions and Answers</h2>
<p>
This section answers common questions that may occur after reading this
bulletin.
</p>
<p>
<strong>1. How do I determine if my device is updated to address these issues?</strong>
</p>
<p>
To learn how to check a devices security patch level, read the instructions on the
<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
and Nexus update schedule</a>.
</p>
<ul>
  <li>Security patch levels of 2016-11-01 or later address all issues associated
  with the 2016-11-01 security patch level.</li>
  <li>Security patch levels of 2016-11-05 or later address all issues associated
  with the 2016-11-05 security patch level and all previous patch levels.</li>
  <li>Security patch levels of 2016-11-06 or later address all issues associated
  with the 2016-11-06 security patch level and all previous patch
  levels.</li>
</ul>
<p>
Device manufacturers that include these updates should set the patch level
string to:
</p>
<ul>
  <li>[ro.build.version.security_patch]:[2016-11-01]</li>
  <li>[ro.build.version.security_patch]:[2016-11-05]</li>
  <li>[ro.build.version.security_patch]:[2016-11-06].</li>
</ul>
<p>
<strong>2. Why does this bulletin have three security patch levels?</strong>
</p>
<p>
This bulletin has three security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.
</p>
<ul>
  <li>Devices that use the November 1, 2016 security patch level must include all
  issues associated with that security patch level, as well as fixes for all
  issues reported in previous security bulletins.</li>
  <li>Devices that use the security patch level of November 5, 2016 or newer must
  include all applicable patches in this (and previous) security bulletins.</li>
  <li>Devices that use the security patch level of November 6, 2016 or newer must
  include all applicable patches in this (and previous) security
  bulletins.</li>
</ul>
<p>
Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.
</p>
<p id="google-devices">
<strong>3. How do I determine which Google devices are affected by each
issue?</strong>
</p>
<p>
In the
<a href="#2016-11-01-details">2016-11-01</a>,
<a href="#2016-11-05-details">2016-11-05</a>,
and
<a href="#2016-11-06-details">2016-11-06</a>
security vulnerability details sections, each table has an <em>Updated Google
devices</em> column that covers the range of affected Google devices updated for
each issue. This column has a few options:
</p>
<ul>
  <li><strong>All Google devices</strong>: If an issue affects all Nexus and Pixel
  devices, the table will have "All" in the <em>Updated Google devices</em>
  column. "All" encapsulates the following
  <a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">supported
  devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9,
  Android One, Nexus Player, Pixel C, Pixel, and Pixel XL.</li>
  <li><strong>Some Google devices</strong>: If an issue doesn't affect all Google
  devices, the affected Google devices are listed in the <em>Updated Google
  devices</em> column.</li>
  <li><strong>No Google devices</strong>: If no Google devices running Android 7.0
  are affected by the issue, the table will have "None" in the <em>Updated Google
  devices</em> column.</li>
</ul>
<p>
<strong>4. What do the entries in the references column map to?</strong>
</p>
<p>
Entries under the <em>References</em> column of the vulnerability details table
may contain a prefix identifying the organization to which the reference value
belongs. These prefixes map as follows:
</p>
<table>
  <tr>
   <th>Prefix</th>
   <th>Reference</th>
  </tr>
  <tr>
   <td>A-</td>
   <td>Android bug ID</td>
  </tr>
  <tr>
   <td>QC-</td>
   <td>Qualcomm reference number</td>
  </tr>
  <tr>
   <td>M-</td>
   <td>MediaTek reference number</td>
  </tr>
  <tr>
   <td>N-</td>
   <td>NVIDIA reference number</td>
  </tr>
  <tr>
   <td>B-</td>
   <td>Broadcom reference number</td>
  </tr>
</table>

<h2 id="revisions">Revisions</h2>
<ul>
  <li>November 07, 2016: Bulletin published.</li>
  <li>November 08: Bulletin revised to include AOSP links and updated
      description for CVE-2016-6709.</li>
  <li>November 17: Bulletin revised to include attribution for CVE-2016-6828.</li>
  <li>December 21: Updated researcher credit.</li>
</ul>

  </body>
</html>