xref: /docs/source.android.com/en/security/bulletin/2016-12-01.html

<html devsite>
  <head>
    <title>Android Security BulletinDecember 2016</title>
    <meta name="project_path" value="/_project.yaml" />
    <meta name="book_path" value="/_book.yaml" />
  </head>
  <body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->



<p><em>Published December 05, 2016 | Updated December 21, 2016</em></p>
<p>
The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Alongside the bulletin, we have released a security
update to Google devices through an over-the-air (OTA) update. The Google device
firmware images have also been released to the <a
href="https://developers.google.com/android/nexus/images">Google Developer
site</a>. Security patch levels of December 05, 2016 or later address all of
these issues. Refer to the <a
href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
and Nexus update schedule</a> to learn how to check a device's security patch
level.
</p>
<p>
Partners were notified of the issues described in the bulletin on November 07,
2016 or earlier. Source code patches for these issues have been released to the
Android Open Source Project (AOSP) repository and linked from this bulletin.
This bulletin also includes links to patches outside of AOSP.
</p>
<p>
The most severe of these issues are Critical security vulnerabilities in
device-specific code that could enable arbitrary code execution within the
context of the kernel, leading to the possibility of a local permanent device
compromise, which may require reflashing the operating system to repair the
device. The
<a href="/security/overview/updates-resources.html#severity">severity
assessment</a> is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are disabled for development purposes or if successfully bypassed.
</p>
<p>
We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the <a href="#mitigations">Android and Google service
mitigations</a> section for details on the <a
href="/security/enhancements/index.html">Android
security platform protections</a> and service protections such as <a
href="https://developer.android.com/training/safetynet/index.html">SafetyNet</a>,
which improve the security of the Android platform.
</p>
<p>
We encourage all customers to accept these updates to their devices.
</p>
<h2 id="announcements">Announcements</h2>
<ul>
  <li>This bulletin has two security patch level strings to provide Android
  partners with the flexibility to more quickly fix a subset of vulnerabilities
  that are similar across all Android devices. See
  <a href="#common-questions-and-answers">Common
  questions and answers</a> for additional information:
    <ul>
     <li><strong>2016-12-01</strong>: Partial security patch level string. This
    security patch level string indicates that all issues associated with 2016-12-01
    (and all previous security patch level strings) are addressed.</li>
     <li><strong>2016-12-05</strong>: Complete security patch level string. This
    security patch level string indicates that all issues associated with 2016-12-01
    and 2016-12-05 (and all previous security patch level strings) are addressed.</li>
    </ul>
  </li>
  <li>Supported Google devices will receive a single OTA update with the December
  05, 2016 security patch level.</li>
</ul>
<h2 id="mitigations">Android and Google service mitigations</h2>
<p>
This is a summary of the mitigations provided by the <a
href="/security/enhancements/index.html">Android
security platform</a> and service protections, such as SafetyNet. These
capabilities reduce the likelihood that security vulnerabilities could be
successfully exploited on Android.
</p>
<ul>
<li>Exploitation for many issues on Android is made more difficult by
enhancements in newer versions of the Android platform. We encourage all users
to update to the latest version of Android where possible.</li>
<li>The Android Security team actively monitors for abuse with
<a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify
Apps and SafetyNet</a>, which are designed to warn users about
<a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially
Harmful Applications</a>. Verify Apps is enabled by default on devices with <a
href="http://www.android.com/gms">Google Mobile Services</a> and is especially
important for users who install applications from outside of Google Play. Device
rooting tools are prohibited within Google Play, but Verify Apps warns users
when they attempt to install a detected rooting applicationno matter where it
comes from. Additionally, Verify Apps attempts to identify and block
installation of known malicious applications that exploit a privilege escalation
vulnerability. If such an application has already been installed, Verify Apps
will notify the user and attempt to remove the detected application.</li>
<li>As appropriate, Google Hangouts and Messenger applications do not
automatically pass media to processes such as Mediaserver.</li>
</ul>

<h2 id="acknowledgements">Acknowledgements</h2>
<p>
We would like to thank these researchers for their contributions:
</p>

<ul>
  <li>Baozeng Ding, Chengming Yang, Peng Xiao, Ning You, Yang Dong, Chao Yang,
  Yi Zhang, and Yang Song of Alibaba Mobile Security Group: CVE-2016-6783,
  CVE-2016-6784, CVE-2016-6785</li>
  <li><a href="mailto:zc1991 (a] mail.ustc.edu.cn">Chi Zhang</a>, Mingjian Zhou (<a
  href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6789, CVE-2016-6790</li>
  <li>Christian Seel: CVE-2016-6769</li>
  <li>David Benjamin and Kenny Root of Google: CVE-2016-6767</li>
  <li>Di Shen (<a href="https://twitter.com/returnsme">@returnsme</a>) of KeenLab
  (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-6776,
  CVE-2016-6787</li>
  <li>En He (<a href="https://twitter.com/heeeeen4x">@heeeeen4x</a>) of <a
  href="http://www.ms509.com">MS509Team</a>: CVE-2016-6763</li>
  <li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>),
  <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360 Technology
  Co. Ltd.: CVE-2016-6779, CVE-2016-6778, CVE-2016-8401, CVE-2016-8402,
  CVE-2016-8403, CVE-2016-8409, CVE-2016-8408, CVE-2016-8404</li>
  <li>Jianqiang Zhao (<a
  href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) and <a
  href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360 Technology Co.
  Ltd: CVE-2016-6788, CVE-2016-6781, CVE-2016-6782, CVE-2016-8396</li>
  <li><a href="mailto:zlbzlb815 (a] 163.com">Lubo Zhang</a>, <a
  href="mailto:segfault5514 (a] gmail.com">Tong Lin</a>, <a
  href="mailto:computernik (a] gmail.com">Yuan-Tsung Lo</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6791, CVE-2016-8391,
  CVE-2016-8392</li>
  <li>Mark Brand of Project Zero: CVE-2016-6772</li>
  <li><a href="https://github.com/michalbednarski">Micha Bednarski</a>:
  CVE-2016-6770, CVE-2016-6774</li>
  <li>Mingjian Zhou (<a
  href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), <a
  href="mailto:zc1991 (a] mail.ustc.edu.cn">Chi Zhang</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6761, CVE-2016-6759,
  CVE-2016-8400</li>
  <li>Mingjian Zhou (<a
  href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6760</li>
  <li>Mingjian Zhou (<a
  href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), <a
  href="mailto:arnow117 (a] gmail.com">Hanxiang Wen</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6759</li>
  <li>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>) of
  Tesla Motors Product Security Team: CVE-2016-6915, CVE-2016-6916, CVE-2016-6917</li>
  <li>Nightwatch Cybersecurity Research (<a
  href="https://twitter.com/nightwatchcyber">@nightwatchcyber</a>): CVE-2016-5341</li>
  <li>Pengfei Ding (), Chenfu Bao (), Lenx Wei () of Baidu X-Lab:
  CVE-2016-6755, CVE-2016-6756</li>
  <li>Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>) of Trend
  Micro: CVE-2016-8397, CVE-2016-8405, CVE-2016-8406, CVE-2016-8407</li>
  <li>Qidan He () (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>)
  of KeenLab, Tencent (): CVE-2016-8399, CVE-2016-8395</li>
  <li>Qidan He () (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>)
  and Marco Grassi (<a href="https://twitter.com/marcograss">@marcograss</a>) of
  KeenLab, Tencent (): CVE-2016-6768</li>
  <li>Richard Shupak: CVE-2016-5341</li>
  <li>Sagi Kedmi of IBM X-Force Research: CVE-2016-8393, CVE-2016-8394</li>
  <li>Seven Shen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>) of
  Mobile Threat Research Team, Trend Micro Inc.: CVE-2016-6757</li>
  <li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of
  Alibaba Inc.: CVE-2016-6773</li>
  <li><a href="mailto:vancouverdou (a] gmail.com">Wenke Dou</a>, <a
  href="mailto:zc1991 (a] mail.ustc.edu.cn">Chi Zhang</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6765</li>
  <li>Wish Wu (<a href="https://twitter.com/wish_wu">@wish_wu</a>) (<a
  href="http://weibo.com/wishlinux"></a>) of <a
  href="http://blog.trendmicro.com/trendlabs-security-intelligence/category/mobile/">Mobile
  Threat Response Team</a>, <a href="http://www.trendmicro.com">Trend Micro
  Inc.</a>: CVE-2016-6704</li>
  <li><a href="mailto:computernik (a] gmail.com">Yuan-Tsung Lo</a>, <a
  href="mailto:segfault5514 (a] gmail.com">Tong Lin</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6786, CVE-2016-6780,
  CVE-2016-6775</li>
  <li><a href="mailto:computernik (a] gmail.com">Yuan-Tsung Lo</a>, <a
  href="mailto:wisedd (a] gmail.com">Xiaodong Wang</a>, Chiachih Wu (<a
  href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a
  href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6777</li>
  <li>Yuxiang Li of Tencent Security Platform Department: CVE-2016-6771</li>
  <li>Zhe Jin () of Chengdu Security Response Center, Qihoo 360 Technology Co.
  Ltd.: CVE-2016-6764, CVE-2016-6766</li>
  <li><a href="http://weibo.com/ele7enxxh">Zinuo Han</a>  of Chengdu Security
  Response Center of Qihoo 360 Technology Co. Ltd.: CVE-2016-6762</li>
</ul>
<p>
Additional thanks to thank MengLuo Gou (<a
href="https://twitter.com/idhyt3r">@idhyt3r</a>) of Bottle Tech, Yong Wang ()
(<a href="https://twitter.com/ThomasKing2014">@ThomasKing2014</a>), and Zubin
Mithra of Google for their contributions to this security bulletin.
</p>

<h2 id="2016-12-01-details">2016-12-01 security patch levelVulnerability
details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2016-12-01 patch level. There is a description of
the issue, a severity rationale, and a table with the CVE, associated
references, severity, updated Google devices, updated AOSP versions (where
applicable), and date reported. When available, we will link the public change
that addressed the issue to the bug ID, like the AOSP change list. When multiple
changes relate to a single bug, additional references are linked to numbers
following the bug ID.</p>


<h3 id="rce-in-curl-libcurl">Remote code execution vulnerability in
CURL/LIBCURL</h3>
<p>
The table contains security vulnerabilities affecting the CURL and LIBCURL
libraries. The most severe issue could enable a man-in-the-middle attacker
using a forged certificate to execute arbitrary code within the context of a
privileged process. This issue is rated as High due to the attacker needing a
forged certificate.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-5419</td>
    <td>A-31271247</td>
    <td>High</td>
    <td>All</td>
    <td>7.0</td>
    <td>Aug 3, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-5420</td>
    <td>A-31271247</td>
    <td>High</td>
    <td>All</td>
    <td>7.0</td>
    <td>Aug 3, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-5421</td>
    <td>A-31271247</td>
    <td>High</td>
    <td>All</td>
    <td>7.0</td>
    <td>Aug 3, 2016</td>
  </tr>
</table>


<h3 id="eop-in-libziparchive">Elevation of privilege vulnerability in
libziparchive</h3>
<p>
An elevation of privilege vulnerability in the libziparchive library could
enable a local malicious application to execute arbitrary code within the
context of a privileged process. This issue is rated as High because it could
be used to gain local access to elevated capabilities, which are not normally
accessible to a third-party application.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6762</td>
   <td><a href="https://android.googlesource.com/platform/system/core/+/1ee4892e66ba314131b7ecf17e98bb1762c4b84c">
       A-31251826</a>
      [<a href="https://android.googlesource.com/platform/bionic/+/3656958a16590d07d1e25587734e000beb437740">2</a>]
   </td>
    <td>High</td>
    <td>All</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
    <td>Aug 28, 2016</td>
  </tr>
</table>


<h3 id="dos-in-telephony">Denial of service vulnerability in Telephony</h3>
<p>
A denial of service vulnerability in Telephony could enable a local malicious
application to use a specially crafted file to cause a device hang or reboot.
This issue is rated as High due to the possibility of local permanent denial of
service.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6763</td>
    <td><a href="https://android.googlesource.com/platform/packages/services/Telephony/+/1294620627b1e9afdf4bd0ad51c25ed3daf80d84">
        A-31530456</a></td>
    <td>High</td>
    <td>All</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
    <td>Sep 12, 2016</td>
  </tr>
</table>


<h3 id="dos-in-mediaserver">Denial of service vulnerability in Mediaserver</h3>
<p>
A denial of service vulnerability in Mediaserver could enable an attacker to
use a specially crafted file to cause a device hang or reboot. This issue is
rated as High due to the possibility of remote denial of service.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-6766 </td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/0d13824315b0491d44e9c6eb5db06489ab0fcc20">
       A-31318219</a></td>
   <td>High</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Sep 5, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6765</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/fd9cc97d4dfe2a2fbce2c0f1704d7a27ce7cbc44">
       A-31449945</a></td>
   <td>High</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 7.0</td>
   <td>Sep 13, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6764</td>
   <td><a href="https://android.googlesource.com/platform/frameworks/av/+/0d13824315b0491d44e9c6eb5db06489ab0fcc20">
       A-31681434</a></td>
   <td>High</td>
   <td>All</td>
   <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
   <td>Sep 22, 2016</td>
  </tr>
  <tr>
   <td>CVE-2016-6767</td>
   <td>A-31833604</td>
   <td>High</td>
   <td>None*</td>
   <td>4.4.4</td>
   <td>Google internal</td>
  </tr>
</table>

<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>


<h3 id="rce-in-framesequence-library">Remote Code Execution vulnerability in
Framesequence library</h3>
<p>
A remote code execution vulnerability in the Framesequence library could enable
an attacker using a specially crafted file to execute arbitrary code in the
context of an unprivileged process. This issue is rated as High due to the
possibility of remote code execution in an application that uses the
Framesequence library.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6768</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/ex/+/0ada9456d0270cb0e357a43d9187a6418d770760">
        A-31631842</a></td>
    <td>High</td>
    <td>All</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
    <td>Sep 19, 2016</td>
  </tr>
</table>


<h3 id="eop-in-smart-lock">Elevation of privilege vulnerability in Smart
Lock</h3>
<p>
An elevation of privilege vulnerability in Smart Lock could enable a local
malicious user to access Smart Lock settings without a PIN. This issue is rated
as Moderate because it first requires physical access to an unlocked device
where Smart Lock was the last settings pane accessed by the user.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6769</td>
    <td>A-29055171</td>
    <td>Moderate</td>
    <td>None*</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
    <td>May 27, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>


<h3 id="eop-in-framework-apis">Elevation of privilege vulnerability in
Framework APIs</h3>
<p>
An elevation of privilege vulnerability in the Framework API could enable a
local malicious application to access system functions beyond its access level.
This issue is rated as Moderate because it is a local bypass of restrictions on
a constrained process.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6770</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/2c61c57ac53cbb270b4e76b9d04465f8a3f6eadc">
        A-30202228</a></td>
    <td>Moderate</td>
    <td>All</td>
    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
    <td>Jul 16, 2016</td>
  </tr>
</table>


<h3 id="eop-in-telephony">Elevation of privilege vulnerability in
Telephony</h3>
<p>
An elevation of privilege vulnerability in Telephony could enable a local
malicious application to access system functions beyond its access level. This
issue is rated as Moderate because it is a local bypass of restrictions on a
constrained process.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6771</td>
    <td><a href="https://android.googlesource.com/platform/packages/services/Telephony/+/a39ff9526aee6f2ea4f6e02412db7b33d486fd7d">
        A-31566390</a></td>
    <td>Moderate</td>
    <td>All</td>
    <td>6.0, 6.0.1, 7.0</td>
    <td>Sep 17, 2016</td>
  </tr>
</table>


<h3 id="eop-in-wi-fi">Elevation of privilege vulnerability in Wi-Fi</h3>
<p>
An elevation of privilege vulnerability in Wi-Fi could enable a local malicious
application to execute arbitrary code within the context of a privileged
process. This issue is rated as Moderate because it first requires compromising
a privileged process.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6772</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/a5a18239096f6faee80f15f3fff39c3311898484">
        A-31856351</a>
       [<a href="https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/29a2baf3195256bab6a0a4a2d07b7f2efa46b614">2</a>]</td>
    <td>Moderate</td>
    <td>All</td>
    <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
    <td>Sep 30, 2016</td>
  </tr>
</table>


<h3 id="id-in-mediaserver">Information disclosure vulnerability in
Mediaserver</h3>
<p>
An information disclosure vulnerability in Mediaserver could enable a local
malicious application to access data outside of its permission levels. This
issue is rated as Moderate because it could be used to access sensitive data
without permission.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6773</td>
    <td><a href="https://android.googlesource.com/platform/external/libavc/+/026745ef046e646b8d04f4f57d8320042f6b29b0">
        A-30481714</a>
       [<a href="https://android.googlesource.com/platform/external/libavc/+/6676aeb4195e7c7379915c0972f3d209410f0641">2</a>]</td>
    <td>Moderate</td>
    <td>All</td>
    <td>6.0, 6.0.1, 7.0</td>
    <td>Jul 27, 2016</td>
  </tr>
</table>


<h3 id="id-in-package-manager">Information disclosure vulnerability in Package
Manager</h3>
<p>
An information disclosure vulnerability in Package Manager could enable a local
malicious application to bypass operating system protections that isolate
application data from other applications. This issue is rated as Moderate
because it first requires compromising a privileged process.
</p>

<table>
  <col width="18%">
  <col width="18%">
  <col width="10%">
  <col width="19%">
  <col width="17%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Updated AOSP versions</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6774</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e2d4f5fc313ecb4ba587b20fff6d346f8cd51775">
        A-31251489</a></td>
    <td>Moderate</td>
    <td>All</td>
    <td>7.0</td>
    <td>Aug 29, 2016</td>
  </tr>
</table>


<h2 id="2016-12-05-details">2016-12-05 security patch levelVulnerability
details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2016-12-05 patch level. There is a description of
the issue, a severity rationale, and a table with the CVE, associated
references, severity, updated Google devices, updated AOSP versions (where
applicable), and date reported. When available, we will link the public change
that addressed the issue to the bug ID, like the AOSP change list. When multiple
changes relate to a single bug, additional references are linked to numbers
following the bug ID.</p>

<h3 id="eop-in-kernel-memory-subsystem">Elevation of privilege vulnerability in
kernel memory subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel memory subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility
of a local permanent device compromise, which may require reflashing the
operating system to repair the device.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-4794</td>
    <td>A-31596597<br>
       <a href="http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=6710e594f71ccaad8101bc64321152af7cd9ea28">
       Upstream kernel</a>
      [<a href="http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=4f996e234dad488e5d9ba0858bc1bae12eff82c3">2</a>]</td>
    <td>Critical</td>
    <td>Pixel C, Pixel, Pixel XL</td>
    <td>Apr 17, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-5195</td>
    <td>A-32141528<br>
       <a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=9691eac5593ff1e2f82391ad327f21d90322aec1">
       Upstream kernel</a>
      [<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=e45a502bdeae5a075257c4f061d1ff4ff0821354">2</a>]</td>
    <td>Critical</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Oct 12, 2016</td>
  </tr>
</table>


<h3 id="eop-in-nvidia-gpu-driver">Elevation of privilege vulnerability in
NVIDIA GPU driver</h3>
<p>
An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6775</td>
    <td>A-31222873*<br>N-CVE-2016-6775</td>
    <td>Critical</td>
    <td>Nexus 9</td>
    <td>Aug 25, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6776</td>
    <td>A-31680980*<br>N-CVE-2016-6776</td>
    <td>Critical</td>
    <td>Nexus 9</td>
    <td>Sep 22, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6777</td>
    <td>A-31910462*<br>N-CVE-2016-6777</td>
    <td>Critical</td>
    <td>Nexus 9</td>
    <td>Oct 3, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-kernel">Elevation of privilege vulnerability in kernel</h3>
<p>
An elevation of privilege vulnerability in the kernel could enable a local
malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2015-8966</td>
    <td>A-31435731<br>
        <a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=76cc404bfdc0d419c720de4daaf2584542734f42">
Upstream kernel</a></td>
    <td>Critical</td>
    <td>None*</td>
    <td>Sep 10, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>


<h3 id="eop-in-nvidia-video-driver">Elevation of privilege vulnerability in
NVIDIA video driver</h3>
<p>
An elevation of privilege vulnerability in the NVIDIA video driver could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6915</td>
    <td>A-31471161*
    <br>N-CVE-2016-6915</td>
    <td>Critical</td>
    <td>Nexus 9</td>
    <td>Sep 13, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6916</td>
    <td>A-32072350*
    <br>N-CVE-2016-6916</td>
    <td>Critical</td>
    <td>Nexus 9, Pixel C</td>
    <td>Sep 13, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6917</td>
    <td>A-32072253*
    <br>N-CVE-2016-6917</td>
    <td>Critical</td>
    <td>Nexus 9</td>
    <td>Sep 13, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-kernel-ion-driver">Elevation of privilege vulnerability in
kernel ION driver</h3>
<p>
An elevation of privilege vulnerability in the kernel ION driver could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-9120</td>
    <td>A-31568617<br>
        <a
href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9590232bb4f4cc824f3425a6e1349afbe6d6d2b7">
Upstream kernel</a></td>
    <td>Critical</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel C, Nexus Player</td>
    <td>Sep 16, 2016</td>
  </tr>
</table>

<h3 id="vulnerabilities-in-qc-components">Vulnerabilities in Qualcomm components</h3>
<p>
The following vulnerabilities affects Qualcomm components and is described in
further detail in Qualcomm AMSS November 2015 security bulletin.
</p>
<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
   <th>CVE</th>
   <th>References</th>
   <th>Severity*</th>
   <th>Updated Google devices</th>
   <th>Date reported</th>
  </tr>
  <tr>
   <td>CVE-2016-8411</td>
   <td>A-31805216**</td>
   <td>Critical</td>
   <td>Nexus 6, Nexus 6P, Android One</td>
   <td>Qualcomm internal</td>
  </tr>
</table>
<p>* The severity rating for these vulnerabilities was determined by the vendor.</p>
<p>** The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-kernel-file-system">Elevation of privilege vulnerability in
kernel file system</h3>
<p>
An elevation of privilege vulnerability in the kernel file system could enable
a local malicious application to bypass operating system protections that
isolate application data from other applications. This issue is rated as High
because it could be used to gain local access to elevated capabilities, which
are not normally accessible to a third-party application.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2014-4014</td>
    <td>A-31252187<br>
        <a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23adbe12ef7d3d4195e80800ab36b37bee28cd03">
Upstream kernel</a></td>
    <td>High</td>
    <td>Nexus 6, Nexus Player</td>
    <td>Jun 10, 2014</td>
  </tr>
</table>


<h3 id="eop-in-kernel-2">Elevation of privilege vulnerability in kernel</h3>
<p>
An elevation of privilege vulnerability in the kernel could enable a local
malicious application to to execute arbitrary code within the context of the
kernel. This issue is rated as High because it first requires exploitation of a
separate vulnerability.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2015-8967</td>
    <td>A-31703084<br>
        <a
href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c623b33b4e9599c6ac5076f7db7369eb9869aa04">
Upstream kernel</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6P, Nexus 9, Pixel C, Pixel, Pixel XL</td>
    <td>Jan 8, 2015</td>
  </tr>
</table>


<h3 id="eop-in-htc-sound-codec-driver">Elevation of privilege vulnerability in
HTC sound codec driver</h3>
<p>
An elevation of privilege vulnerability in the HTC sound codec driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6778</td>
    <td>A-31384646*</td>
    <td>High</td>
    <td>Nexus 9</td>
    <td>Feb 25, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6779</td>
    <td>A-31386004*</td>
    <td>High</td>
    <td>Nexus 9</td>
    <td>Feb 25, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6780</td>
    <td>A-31251496*</td>
    <td>High</td>
    <td>Nexus 9</td>
    <td>Aug 30, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-mediatek-driver">Elevation of privilege vulnerability in
MediaTek driver</h3>
<p>
An elevation of privilege vulnerability in the MediaTek driver could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as High because it first requires compromising a
privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6492</td>
    <td>A-28175122<br>MT-ALPS02696413</td>
    <td>High</td>
    <td>None*</td>
    <td>Apr 11, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6781</td>
    <td>A-31095175<br>MT-ALPS02943455</td>
    <td>High</td>
    <td>None*</td>
    <td>Aug 22, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6782</td>
    <td>A-31224389<br>MT-ALPS02943506</td>
    <td>High</td>
    <td>None*</td>
    <td>Aug 24, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6783</td>
    <td>A-31350044<br>MT-ALPS02943437</td>
    <td>High</td>
    <td>None*</td>
    <td>Sep 6, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6784</td>
    <td>A-31350755<br>MT-ALPS02961424</td>
    <td>High</td>
    <td>None*</td>
    <td>Sep 6, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6785</td>
    <td>A-31748056<br>MT-ALPS02961400</td>
    <td>High</td>
    <td>None*</td>
    <td>Sep 25, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>


<h3 id="eop-in-qualcomm-media-codecs">Elevation of privilege vulnerability in
Qualcomm media codecs</h3>
<p>
An elevation of privilege vulnerability in Qualcomm media codecs could enable a
local malicious application to execute arbitrary code within the context of a
privileged process. This issue is rated as High because it could be used to
gain local access to elevated capabilities, which are not normally accessible
to a third-party application.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6761</td>
    <td>A-29421682*
    <br>QC-CR#1055792</td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel,
Pixel XL</td>
    <td>Jun 16, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6760</td>
    <td>A-29617572*
    <br>QC-CR#1055783</td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel,
Pixel XL</td>
    <td>Jun 23, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6759</td>
    <td>A-29982686*
    <br>QC-CR#1055766</td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel,
Pixel XL</td>
    <td>Jul 4, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6758</td>
    <td>A-30148882*
    <br>QC-CR#1071731</td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel,
Pixel XL</td>
    <td>Jul 13, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-qualcomm-camera-driver">Elevation of privilege vulnerability in
Qualcomm camera driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm camera driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6755</td>
    <td>A-30740545<br>
        <a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=b5df02edbcdf53dbbab77903d28162772edcf6e0">
QC-CR#1065916</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
    <td>Aug 3, 2016</td>
  </tr>
</table>


<h3 id="eop-in-kernel-performance-subsystem">Elevation of privilege
vulnerability in kernel performance subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel performance subsystem
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6786</td>
    <td>A-30955111
       <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f63a8daa5812afef4f06c962351687e1ff9ccb2b">Upstream kernel</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Aug 18, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6787</td>
    <td>A-31095224
       <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f63a8daa5812afef4f06c962351687e1ff9ccb2b">Upstream kernel</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Aug 22, 2016</td>
  </tr>
</table>


<h3 id="eop-in-mediatek-i2c-driver">Elevation of privilege vulnerability in
MediaTek I2C driver</h3>
<p>
An elevation of privilege vulnerability in the MediaTek I2C driver could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as High because it first requires compromising
a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6788</td>
    <td>A-31224428<br>MT-ALPS02943467</td>
    <td>High</td>
    <td>None*</td>
    <td>Aug 24, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>


<h3 id="eop-in-nvidia-libomx-library">Elevation of privilege vulnerability in
NVIDIA libomx library</h3>
<p>
An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx)
could enable a local malicious application to execute arbitrary code within the
context of a privileged process. This issue is rated as High because it could
be used to gain local access to elevated capabilities, which are not normally
accessible to a third-party application.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6789</td>
    <td>A-31251973*
    <br>N-CVE-2016-6789</td>
    <td>High</td>
    <td>Pixel C</td>
    <td>Aug 29, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6790</td>
    <td>A-31251628*
    <br>N-CVE-2016-6790</td>
    <td>High</td>
    <td>Pixel C</td>
    <td>Aug 28, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-qualcomm-sound-driver">Elevation of privilege vulnerability in
Qualcomm sound driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm sound driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6791</td>
    <td>A-31252384<br>
        <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79">
QC-CR#1071809</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
    <td>Aug 31, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8391</td>
    <td>A-31253255<br>
        <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79">
QC-CR#1072166</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
    <td>Aug 31, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8392</td>
    <td>A-31385862<br>
        <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79">
QC-CR#1073136</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
    <td>Sep 8, 2016</td>
  </tr>
</table>


<h3 id="eop-in-kernel-security-subsystem">Elevation of privilege vulnerability
in kernel security subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel security subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2015-7872</td>
    <td>A-31253168<br>
        <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61">
Upstream kernel</a></td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel,
Pixel XL</td>
    <td>Aug 31, 2016</td>
  </tr>
</table>


<h3 id="eop-in-synaptics-touchscreen-driver">Elevation of privilege
vulnerability in Synaptics touchscreen driver</h3>
<p>
An elevation of privilege vulnerability in the Synaptics touchscreen driver
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8393</td>
    <td>A-31911920*</td>
    <td>High</td>
    <td>Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL</td>
    <td>Sep 8, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8394</td>
    <td>A-31913197*</td>
    <td>High</td>
    <td>Nexus 9, Android One</td>
    <td>Sep 8, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-broadcom-wi-fi-driver">Elevation of privilege vulnerability in
Broadcom Wi-Fi driver</h3>
<p>
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2014-9909</td>
    <td>A-31676542<br>B-RB#26684</td>
    <td>High</td>
    <td>None*</td>
    <td>Sep 21, 2016</td>
  </tr>
  <tr>
    <td>CVE-2014-9910</td>
    <td>A-31746399<br>B-RB#26710</td>
    <td>High</td>
    <td>None*</td>
    <td>Sep 26, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>


<h3 id="id-in-mediatek-video-driver">Information disclosure vulnerability in
MediaTek video driver</h3>
<p>
An information disclosure vulnerability in the MediaTek video driver could
enable a local malicious application to access data outside of its permission
levels. This issue is rated as High because it could be used to access
sensitive data without explicit user permission.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8396</td>
    <td>A-31249105</td>
    <td>High</td>
    <td>None*</td>
    <td>Aug 26, 2016</td>
  </tr>
</table>
<p>
* Supported Google devices on Android 7.0 or later that have installed all
available updates are not affected by this vulnerability.
</p>


<h3 id="id-in-nvidia-video-driver">Information disclosure vulnerability in
NVIDIA video driver</h3>
<p>
An information disclosure vulnerability in the NVIDIA video driver could enable
a local malicious application to access data outside of its permission levels.
This issue is rated as High because it could be used to access sensitive data
without explicit user permission.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8397</td>
    <td>A-31385953*<br>
    N-CVE-2016-8397</td>
    <td>High</td>
    <td>Nexus 9</td>
    <td>Sep 8, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="dos-in-gps">Denial of service vulnerability in GPS</h3>
<p>
A denial of service vulnerability in the Qualcomm GPS component could enable a
remote attacker to cause a device hang or reboot. This issue is rated as High
due to the possibility of a temporary remote denial of service.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-5341</td>
    <td>A-31470303*</td>
    <td>High</td>
    <td>Nexus 6, Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel,
Pixel XL</td>
    <td>Jun 21, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="dos-in-nvidia-camera-driver">Denial of service vulnerability in NVIDIA
camera driver</h3>
<p>
A denial of service vulnerability in the NVIDIA camera driver could enable an
attacker to cause a local permanent denial of service, which may require
reflashing the operating system to repair the device. This issue is rated as
High due to the possibility of local permanent denial of service.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8395</td>
    <td>A-31403040*
    <br>N-CVE-2016-8395</td>
    <td>High</td>
    <td>Pixel C</td>
    <td>Sep 9, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="eop-in-kernel-networking-subsystem">Elevation of privilege
vulnerability in kernel networking subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel networking subsystem
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Moderate because it first
requires compromising a privileged process and current compiler optimizations
restrict access to the vulnerable code.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8399</td>
    <td>A-31349935*</td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Sep 5, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="id-in-qualcomm-components">Information disclosure vulnerability in
Qualcomm components</h3>
<p>
An information disclosure vulnerability in Qualcomm components including the
camera driver and video driver could enable a local malicious application to
access data outside of its permission levels. This issue is rated as Moderate
because it first requires compromising a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-6756</td>
    <td>A-29464815<br>
        <a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f91d28dcba304c9f3af35b5bebaa26233c8c13a5">
        QC-CR#1042068</a>
       [<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=3a214ef870dc97437c7de79a1507dfe5079dce88">2</a>]</td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
    <td>Jun 17, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-6757</td>
    <td>A-30148242<br>
        <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=cd99d3bbdb16899a425716e672485e0cdc283245">
QC-CR#1052821</a></td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Pixel, Pixel XL</td>
    <td>Jul 13, 2016</td>
  </tr>
</table>


<h3 id="id-in-nvidia-librm-library">Information disclosure vulnerability in
NVIDIA librm library</h3>
<p>
An information disclosure vulnerability in the NVIDIA librm library (libnvrm)
could enable a local malicious application to access data outside of its
permission levels. This issue is rated as Moderate because it could be used to
access sensitive data without permission.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8400</td>
    <td>A-31251599*
    <br>N-CVE-2016-8400</td>
    <td>Moderate</td>
    <td>Pixel C</td>
    <td>Aug 29, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="id-in-kernel-components">Information disclosure vulnerability in kernel
components</h3>
<p>
An information disclosure vulnerability in kernel components including the ION
subsystem, Binder, USB driver and networking subsystem could enable a local
malicious application to access data outside of its permission levels. This
issue is rated as Moderate because it first requires compromising a privileged
process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8401</td>
    <td>A-31494725*</td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Sep 13, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8402</td>
    <td>A-31495231*</td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Sep 13, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8403</td>
    <td>A-31495348*</td>
    <td>Moderate</td>
    <td>Nexus 9</td>
    <td>Sep 13, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8404</td>
    <td>A-31496950*</td>
    <td>Moderate</td>
    <td>Nexus 9</td>
    <td>Sep 13, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8405</td>
    <td>A-31651010*</td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Sep 21, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8406</td>
    <td>A-31796940*</td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus
Player, Pixel, Pixel XL</td>
    <td>Sep 27, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8407</td>
    <td>A-31802656*</td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
    <td>Sep 28, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="id-in-nvidia-video-driver-2">Information disclosure vulnerability in
NVIDIA video driver</h3>
<p>
An information disclosure vulnerability in the NVIDIA video driver could enable
a local malicious application to access data outside of its permission levels.
This issue is rated as Moderate because it first requires compromising a
privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8408</td>
    <td>A-31496571*
    <br>N-CVE-2016-8408</td>
    <td>Moderate</td>
    <td>Nexus 9</td>
    <td>Sep 13, 2016</td>
  </tr>
  <tr>
    <td>CVE-2016-8409</td>
    <td>A-31495687*
    <br>N-CVE-2016-8409</td>
    <td>Moderate</td>
    <td>Nexus 9</td>
    <td>Sep 13, 2016</td>
  </tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Google devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>

<h3 id="id-in-qualcomm-sound-driver">Information disclosure vulnerability in
Qualcomm sound driver</h3>
<p>
An information disclosure vulnerability in the Qualcomm sound driver could
enable a local malicious application to access data outside of its permission
levels. This issue is rated as Moderate because it first requires compromising
a privileged process.
</p>

<table>
  <col width="19%">
  <col width="20%">
  <col width="10%">
  <col width="23%">
  <col width="17%">
  <tr>
    <th>CVE</th>
    <th>References</th>
    <th>Severity</th>
    <th>Updated Google devices</th>
    <th>Date reported</th>
  </tr>
  <tr>
    <td>CVE-2016-8410</td>
    <td>A-31498403<br>
        <a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?h=e2bbf665187a1f0a1248e4a088823cb182153ba9">
QC-CR#987010</a></td>
    <td>Moderate</td>
    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One</td>
    <td>Google internal</td>
  </tr>
</table>

<h2 id="common-questions-and-answers">Common Questions and Answers</h2>
<p>
This section answers common questions that may occur after reading this
bulletin.
</p>
<p>
<strong>1. How do I determine if my device is updated to address these issues?
</strong>
</p>
<p>
To learn how to check a device's security patch level, read the instructions on
the  <a
href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
and Nexus update schedule</a>.
</p>
<ul>
  <li>Security patch levels of 2016-12-01 or later address all issues associated
  with the 2016-12-01 security patch level.</li>
  <li>Security patch levels of 2016-12-05 or later address all issues associated
  with the 2016-12-05 security patch level and all previous patch levels.</li>
</ul>
<p>
Device manufacturers that include these updates should set the patch string
level to:
</p>
<ul>
  <li>[ro.build.version.security_patch]:[2016-12-01]</li>
  <li>[ro.build.version.security_patch]:[2016-12-05]</li>
</ul>
<p>
<strong>2. Why does this bulletin have two security patch levels?</strong>
</p>
<p>
This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.
</p>
<ul>
  <li>Devices that use the December 1, 2016 security patch level must include all
  issues associated with that security patch level, as well as fixes for all
  issues reported in previous security bulletins.</li>
  <li>Devices that use the security patch level of December 5, 2016 or newer must
  include all applicable patches in this (and previous) security
  bulletins.</li>
</ul>
<p>
Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.
</p>
<p>
<strong>3. How do I determine which Google devices are affected by each
issue?</strong>
</p>
<p>
In the <a
href="#2016-12-01-details">2016-12-01</a> and
<a href="#2016-12-05-details">2016-12-05</a>
security vulnerability details sections, each table has an <em>Updated Google
devices</em> column that covers the range of affected Google devices updated for
each issue. This column has a few options:
</p>
<ul>
  <li><strong>All Google devices</strong>: If an issue affects All and Pixel
  devices, the table will have "All" in the <em>Updated Google devices</em>
  column. "All" encapsulates the following <a
  href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">supported
  devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9,
  Android One, Nexus Player, Pixel C, Pixel, and Pixel XL.</li>
  <li><strong>Some Google devices</strong>: If an issue doesn't affect all Google
  devices, the affected Google devices are listed in the <em>Updated Google
  devices</em> column.</li>
  <li><strong>No Google devices</strong>: If no Google devices running Android 7.0
  are affected by the issue, the table will have "None" in the <em>Updated Google
  devices</em> column.</li>
</ul>
<p>
<strong>4. What do the entries in the references column map to?</strong>
</p>
<p>
Entries under the <em>References</em> column of the vulnerability details table
may contain a prefix identifying the organization to which the reference value
belongs. These prefixes map as follows:
</p>
<table>
  <tr>
   <th>Prefix</th>
   <th>Reference</th>
  </tr>
  <tr>
   <td>A-</td>
   <td>Android bug ID</td>
  </tr>
  <tr>
   <td>QC-</td>
   <td>Qualcomm reference number</td>
  </tr>
  <tr>
   <td>M-</td>
   <td>MediaTek reference number</td>
  </tr>
  <tr>
   <td>N-</td>
   <td>NVIDIA reference number</td>
  </tr>
  <tr>
   <td>B-</td>
   <td>Broadcom reference number</td>
  </tr>
</table>
<h2 id="revisions">Revisions</h2>
<ul>
  <li>December 05, 2016: Bulletin published.</li>
  <li>December 07, 2016: Bulletin revised to include AOSP links and updated
      attribution for CVE-2016-6915, CVE-2016-6916 and CVE-2016-6917.</li>
  <li>December 21, 2016: Corrected typos in CVE-2016-8411 description and
      Common Questions and Answers.</li>
</ul>

  </body>
</html>