1page.title=Android Security Bulletin—May 2016 2@jd:body 3 4<!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18--> 19 20<p><em>Published May 02, 2016 | Updated May 04, 2016</em></p> 21 22<p>The Android Security Bulletin contains details of security vulnerabilities 23affecting Android devices. Alongside the bulletin, we have released a 24security update to Nexus devices through an over-the-air (OTA) update. The 25Nexus firmware images have also been released to the 26<a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. 27Security Patch Levels of May 01, 2016 or later address these issues (refer to 28the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> 29for instructions on how to check the security patch level).</p> 30 31<p>Partners were notified about the issues described in the bulletin on April 04, 322016 or earlier. Where applicable, source code patches for these issues have 33been released to the Android Open Source Project (AOSP) repository.</p> 34 35<p>The most severe of these issues is a Critical security vulnerability that could 36enable remote code execution on an affected device through multiple methods 37such as email, web browsing, and MMS when processing media files.</p> 38 39<p>We have had no reports of active customer exploitation or abuse of these newly 40reported issues. Refer to the <a href="#mitigations">Android and Google Service Mitigations</a> 41section for details on the <a href="{@docRoot}security/enhancements/index.html"> 42Android security platform protections</a> and service protections such as SafetyNet, 43which improve the security of the Android platform.</p> 44 45<p>We encourage all customers to accept these updates to their devices.</p> 46 47<h2 id=announcements>Announcements</h2> 48 49 50<ul> 51 <li> To reflect a broader focus, we renamed this bulletin (and all following in the 52 series) to the Android Security Bulletin. These bulletins encompass a broader 53 range of vulnerabilities that may affect Android devices, even if they do not 54 affect Nexus devices.</li> 55 <li> We updated the Android Security 56 <a href="{@docRoot}security/overview/updates-resources.html#severity">severity ratings</a>. 57 These changes were the result of data collected over the last six months on 58 reported security vulnerabilities and aim to align severities more closely with 59 real world impact to users.</li> 60</ul> 61 62<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> 63 64 65<p>The table below contains a list of security vulnerabilities, the Common 66Vulnerability and Exposures ID (CVE), their assessed severity and whether or 67not Nexus devices are affected. 68The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> 69is based on the effect that exploiting the vulnerability would possibly have 70on an affected device, assuming the platform and service mitigations are 71disabled for development purposes or if successfully bypassed.</p> 72<table> 73 <col width="55%"> 74 <col width="20%"> 75 <col width="13%"> 76 <col width="12%"> 77 <tr> 78 <th>Issue</th> 79 <th>CVE</th> 80 <th>Severity</th> 81 <th>Affects Nexus?</th> 82 </tr> 83 <tr> 84 <td>Remote Code Execution Vulnerability in Mediaserver</td> 85 <td>CVE-2016-2428<br /> 86 CVE-2016-2429</td> 87 <td>Critical</td> 88 <td>Yes</td> 89 </tr> 90 <tr> 91 <td>Elevation of Privilege Vulnerability in Debuggerd</td> 92 <td>CVE-2016-2430</td> 93 <td>Critical</td> 94 <td>Yes</td> 95 </tr> 96 <tr> 97 <td>Elevation of Privilege Vulnerability in Qualcomm TrustZone </td> 98 <td>CVE-2016-2431<br /> 99 CVE-2016-2432</td> 100 <td>Critical</td> 101 <td>Yes</td> 102 </tr> 103 <tr> 104 <td>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</td> 105 <td>CVE-2015-0569<br /> 106 CVE-2015-0570</td> 107 <td>Critical</td> 108 <td>Yes</td> 109 </tr> 110 <tr> 111 <td>Elevation of Privilege Vulnerability in NVIDIA Video Driver </td> 112 <td>CVE-2016-2434<br /> 113 CVE-2016-2435<br /> 114 CVE-2016-2436<br /> 115 CVE-2016-2437</td> 116 <td>Critical</td> 117 <td>Yes</td> 118 </tr> 119 <tr> 120 <td>Elevation of Privilege Vulnerability in Kernel</td> 121 <td>CVE-2015-1805</td> 122 <td>Critical</td> 123 <td>Yes</td> 124 </tr> 125 <tr> 126 <td>Remote Code Execution Vulnerability in Kernel</td> 127 <td>CVE-2016-2438</td> 128 <td>High</td> 129 <td>Yes</td> 130 </tr> 131 <tr> 132 <td>Information Disclosure Vulnerability in Qualcomm Tethering Controller</td> 133 <td>CVE-2016-2060</td> 134 <td>High</td> 135 <td>No</td> 136 </tr> 137 <tr> 138 <td>Remote Code Execution in Bluetooth</td> 139 <td>CVE-2016-2439</td> 140 <td>High</td> 141 <td>Yes</td> 142 </tr> 143 <tr> 144 <td>Elevation of Privilege in Binder</td> 145 <td>CVE-2016-2440</td> 146 <td>High</td> 147 <td>Yes</td> 148 </tr> 149 <tr> 150 <td>Elevation of Privilege Vulnerability in Qualcomm Buspm Driver</td> 151 <td>CVE-2016-2441<br /> 152 CVE-2016-2442</td> 153 <td>High</td> 154 <td>Yes</td> 155 </tr> 156 <tr> 157 <td>Elevation of Privilege Vulnerability in Qualcomm MDP Driver</td> 158 <td>CVE-2016-2443</td> 159 <td>High</td> 160 <td>Yes</td> 161 </tr> 162 <tr> 163 <td>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</td> 164 <td>CVE-2015-0571</td> 165 <td>High</td> 166 <td>Yes</td> 167 </tr> 168 <tr> 169 <td>Elevation of Privilege Vulnerability in NVIDIA Video Driver</td> 170 <td>CVE-2016-2444<br /> 171 CVE-2016-2445<br /> 172 CVE-2016-2446</td> 173 <td>High</td> 174 <td>Yes</td> 175 </tr> 176 <tr> 177 <td>Elevation of Privilege in Wi-Fi</td> 178 <td>CVE-2016-4477</td> 179 <td>High</td> 180 <td>Yes</td> 181 </tr> 182 <tr> 183 <td>Elevation of Privilege Vulnerability in Mediaserver</td> 184 <td>CVE-2016-2448<br /> 185 CVE-2016-2449<br /> 186 CVE-2016-2450<br /> 187 CVE-2016-2451<br /> 188 CVE-2016-2452</td> 189 <td>High</td> 190 <td>Yes</td> 191 </tr> 192 <tr> 193 <td>Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver</td> 194 <td>CVE-2016-2453</td> 195 <td>High</td> 196 <td>Yes</td> 197 </tr> 198 <tr> 199 <td>Remote Denial of Service Vulnerability in Qualcomm Hardware Codec</td> 200 <td>CVE-2016-2454</td> 201 <td>High</td> 202 <td>Yes</td> 203 </tr> 204 <tr> 205 <td>Elevation of Privilege in Conscrypt</td> 206 <td>CVE-2016-2461<br /> 207 CVE-2016-2462</td> 208 <td>Moderate</td> 209 <td>Yes</td> 210 </tr> 211 <tr> 212 <td>Elevation of Privilege Vulnerability in OpenSSL & BoringSSL</td> 213 <td>CVE-2016-0705</td> 214 <td>Moderate</td> 215 <td>Yes</td> 216 </tr> 217 <tr> 218 <td>Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver</td> 219 <td>CVE-2016-2456</td> 220 <td>Moderate</td> 221 <td>Yes</td> 222 </tr> 223 <tr> 224 <td>Elevation of Privilege in Wi-Fi</td> 225 <td>CVE-2016-2457</td> 226 <td>Moderate</td> 227 <td>Yes</td> 228 </tr> 229 <tr> 230 <td>Information Disclosure Vulnerability in AOSP Mail </td> 231 <td>CVE-2016-2458</td> 232 <td>Moderate</td> 233 <td>Yes</td> 234 </tr> 235 <tr> 236 <td>Information Disclosure Vulnerability in Mediaserver</td> 237 <td>CVE-2016-2459<br /> 238 CVE-2016-2460</td> 239 <td>Moderate</td> 240 <td>Yes</td> 241 </tr> 242 <tr> 243 <td>Denial of Service Vulnerability in Kernel</td> 244 <td>CVE-2016-0774</td> 245 <td>Low</td> 246 <td>Yes</td> 247 </tr> 248</table> 249 250 251<h2 id=android_and_google_service_mitigations>Android and Google Service Mitigations</h2> 252 253 254<p>This is a summary of the mitigations provided by the 255<a href="{@docRoot}security/enhancements/index.html">Android security platform</a> 256and service protections such as SafetyNet. These capabilities reduce the 257likelihood that security vulnerabilities could be successfully exploited on 258Android.</p> 259 260<ul> 261 <li> Exploitation for many issues on Android is made more difficult by enhancements 262 in newer versions of the Android platform. We encourage all users to update to 263 the latest version of Android where possible.</li> 264 <li> The Android Security team actively monitors for abuse with 265 <a href="{@docRoot}security/reports/Google_Android_Security_2015_Report_Final.pdf"> 266 Verify Apps and SafetyNet</a>, which are designed to warn users about 267 <a href="{@docRoot}security/reports/Google_Android_Security_PHA_classifications.pdf"> 268 Potentially Harmful Applications</a>. Verify Apps is enabled by default on devices with 269 <a href="http://www.android.com/gms">Google Mobile Services</a>, and is especially 270 important for users who install applications from outside 271 of Google Play. Device rooting tools are prohibited within Google Play, but 272 Verify Apps warns users when they attempt to install a detected rooting 273 application—no matter where it comes from. Additionally, Verify Apps attempts 274 to identify and block installation of known malicious applications that exploit 275 a privilege escalation vulnerability. If such an application has already been 276 installed, Verify Apps will notify the user and attempt to remove the detected 277 application.</li> 278 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 279 pass media to processes such as mediaserver.</li> 280</ul> 281 282<h2 id=acknowledgements>Acknowledgements</h2> 283 284 285<p>We would like to thank these researchers for their contributions:</p> 286 287<ul> 288 <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 289 Team: CVE-2016-2454 290 <li> Andy Tyler (<a href="https://twitter.com/ticarpi">@ticarpi</a>) of 291 <a href="https://www.e2e-assure.com">e2e-assure</a>: CVE-2016-2457 292 <li> Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>) and 293 Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-2441, 294 CVE-2016-2442 295 <li> Dzmitry Lukyanenka (<a href="http://www.linkedin.com/in/dzima"> 296 www.linkedin.com/in/dzima</a>): CVE-2016-2458 297 <li> Gal Beniamini: CVE-2016-2431 298 <li> Hao Chen of Vulpecker Team, Qihoo 360 Technology Co. Ltd: CVE-2016-2456 299 <li> Jake Valletta of Mandiant, a FireEye company: CVE-2016-2060 300 <li> Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) 301 and pjf (<a href="http://weibo.com/jfpan">weibo.com/jfpan</a>) of IceSword Lab, 302 Qihoo 360 Technology Co. Ltd: CVE-2016-2434, CVE-2016-2435, CVE-2016-2436, 303 CVE-2016-2441, CVE-2016-2442, CVE-2016-2444, CVE-2016-2445, CVE-2016-2446 304 <li> Imre Rad of <a href="http://www.search-lab.hu">Search-Lab Ltd.</a>: CVE-2016-4477 305 <li> Jeremy C. Joslin of Google: CVE-2016-2461 306 <li> Kenny Root of Google: CVE-2016-2462 307 <li> Marco Grassi (<a href="https://twitter.com/marcograss">@marcograss</a>) of KeenLab 308 (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-2443 309 <li> Michał Bednarski (<a href="https://github.com/michalbednarski"> 310 https://github.com/michalbednarski</a>): CVE-2016-2440 311 <li> Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), 312 Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian 313 Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-2450, CVE-2016-2448, 314 CVE-2016-2449, CVE-2016-2451, CVE-2016-2452 315 <li> Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>) of Trend Micro: 316 CVE-2016-2459, CVE-2016-2460 317 <li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc.: 318 CVE-2016-2428, CVE-2016-2429 319 <li> <a href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a>, <a href="mailto:zlbzlb815@163.com"> 320 Lubo Zhang</a>, Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), 321 and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-2437 322 <li> Yulong Zhang and Tao (Lenx) Wei of Baidu X-Lab: CVE-2016-2439 323 <li> Zach Riggle (<a href="https://twitter.com/ebeip90">@ebeip90</a>) of the Android 324 Security Team: CVE-2016-2430 325</ul> 326 327<h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 328 329 330<p>In the sections below, we provide details for each of the security 331vulnerabilities listed in the <a href="#security_vulnerability_summary"> 332Security Vulnerability Summary</a> above. There is a description of the issue, 333a severity rationale, and a table with the CVE, associated bug, severity, 334updated Nexus devices, updated AOSP versions (where applicable), and date reported. 335When available, we will link the AOSP change that addressed the issue to 336the bug ID. When multiple changes relate to a single bug, additional AOSP 337references are linked to numbers following the bug ID.</p> 338 339<h3 id=remote_code_execution_vulnerability_in_mediaserver> 340Remote Code Execution Vulnerability in Mediaserver</h3> 341 342 343<p>During media file and data processing of a specially crafted file, a 344vulnerability in mediaserver could allow an attacker to cause memory corruption 345and remote code execution as the mediaserver process.</p> 346 347<p>The affected functionality is provided as a core part of the operating system 348and there are multiple applications that allow it to be reached with remote 349content, most notably MMS and browser playback of media.</p> 350 351<p>This issue is rated as Critical severity due to the possibility of remote code 352execution within the context of the mediaserver service. The mediaserver 353service has access to audio and video streams, as well as access to privileges 354that third-party apps could not normally access.</p> 355<table> 356 <col width="19%"> 357 <col width="16%"> 358 <col width="10%"> 359 <col width="19%"> 360 <col width="18%"> 361 <col width="16%"> 362 <tr> 363 <th>CVE</th> 364 <th>Android bugs</th> 365 <th>Severity</th> 366 <th>Updated Nexus devices</th> 367 <th>Updated AOSP versions</th> 368 <th>Date reported</th> 369 </tr> 370 <tr> 371 <td>CVE-2016-2428</td> 372 <td><a href="https://android.googlesource.com/platform/external/aac/+/5d4405f601fa11a8955fd7611532c982420e4206"> 373 26751339</a></td> 374 <td>Critical</td> 375 <td><a href="#nexus_devices">All Nexus</a></td> 376 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 377 <td>Jan 22, 2016</td> 378 </tr> 379 <tr> 380 <td>CVE-2016-2429</td> 381 <td><a href="https://android.googlesource.com/platform/external/flac/+/b499389da21d89d32deff500376c5ee4f8f0b04c"> 382 27211885</a></td> 383 <td>Critical</td> 384 <td><a href="#nexus_devices">All Nexus</a></td> 385 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 386 <td>Feb 16, 2016</td> 387 </tr> 388</table> 389 390 391<h3 id=elevation_of_privilege_vulnerability_in_debuggerd> 392Elevation of Privilege Vulnerability in Debuggerd</h3> 393 394 395<p>An elevation of privilege vulnerability in the integrated Android debugger 396could enable a local malicious application to execute arbitrary code within the 397context of the Android debugger. This issue is rated as Critical severity due 398to the possibility of a local permanent device compromise, which may require 399reflashing the operating system to repair the device.</p> 400<table> 401 <col width="19%"> 402 <col width="16%"> 403 <col width="10%"> 404 <col width="19%"> 405 <col width="18%"> 406 <col width="16%"> 407 <tr> 408 <th>CVE</th> 409 <th>Android bug</th> 410 <th>Severity</th> 411 <th>Updated Nexus devices</th> 412 <th>Updated AOSP versions</th> 413 <th>Date reported</th> 414 </tr> 415 <tr> 416 <td>CVE-2016-2430</td> 417 <td><a href="https://android.googlesource.com/platform/system/core/+/ad54cfed4516292654c997910839153264ae00a0"> 418 27299236</a></td> 419 <td>Critical</td> 420 <td><a href="#nexus_devices">All Nexus</a></td> 421 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 422 <td>Feb 22, 2016</td> 423 </tr> 424</table> 425 426 427<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_trustzone> 428Elevation of Privilege Vulnerability in Qualcomm TrustZone </h3> 429 430 431<p>An elevation of privilege vulnerability in the Qualcomm TrustZone component 432could enable a secure local malicious application to execute arbitrary code 433within the context of the TrustZone kernel. This issue is rated as Critical 434severity due to the possibility of a local permanent device compromise, which 435may require reflashing the operating system to repair the device.</p> 436<table> 437 <col width="19%"> 438 <col width="16%"> 439 <col width="10%"> 440 <col width="27%"> 441 <col width="16%"> 442 <tr> 443 <th>CVE</th> 444 <th>Android bugs</th> 445 <th>Severity</th> 446 <th>Updated Nexus devices</th> 447 <th>Date reported</th> 448 </tr> 449 <tr> 450 <td>CVE-2016-2431</td> 451 <td>24968809*</td> 452 <td>Critical</td> 453 <td>Nexus 5, Nexus 6, Nexus 7 (2013), Android One</td> 454 <td>Oct 15, 2015</td> 455 </tr> 456 <tr> 457 <td>CVE-2016-2432</td> 458 <td>25913059*</td> 459 <td>Critical</td> 460 <td>Nexus 6, Android One</td> 461 <td>Nov 28, 2015</td> 462 </tr> 463</table> 464<p>* The patch for this issue is not in AOSP. The update is contained in the 465latest binary drivers for Nexus devices available from the 466<a href="https://developers.google.com/android/nexus/drivers">Google Developer 467site</a>.</p> 468 469<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wi-fi_driver> 470Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3> 471 472 473<p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could 474enable a local malicious application to execute arbitrary code within the 475context of the kernel. This issue is rated as Critical severity due to 476possibility of a local privilege escalation and arbitrary code execution 477leading to the possibility of a local permanent device compromise, which may 478require reflashing the operating system to repair the device.</p> 479<table> 480 <col width="19%"> 481 <col width="16%"> 482 <col width="10%"> 483 <col width="27%"> 484 <col width="16%"> 485 <tr> 486 <th>CVE</th> 487 <th>Android bugs</th> 488 <th>Severity</th> 489 <th>Updated Nexus devices</th> 490 <th>Date reported</th> 491 </tr> 492 <tr> 493 <td>CVE-2015-0569</td> 494 <td>26754117*</td> 495 <td>Critical</td> 496 <td>Nexus 5X, Nexus 7 (2013)</td> 497 <td>Jan 23, 2016</td> 498 </tr> 499 <tr> 500 <td>CVE-2015-0570</td> 501 <td>26764809*</td> 502 <td>Critical</td> 503 <td>Nexus 5X, Nexus 7 (2013)</td> 504 <td>Jan 25, 2016</td> 505 </tr> 506</table> 507<p>* The patch for this issue is not in AOSP. The update is contained in the 508latest binary drivers for Nexus devices available from the 509<a href="https://developers.google.com/android/nexus/drivers">Google Developer 510site</a>.</p> 511 512<h3 id=elevation_of_privilege_vulnerability_in_nvidia_video_driver> 513Elevation of Privilege Vulnerability in NVIDIA Video Driver</h3> 514 515 516<p>An elevation of privilege vulnerability in the NVIDIA video driver could enable 517a local malicious application to execute arbitrary code within the context of 518the kernel. This issue is rated as Critical severity due to the possibility of 519a local permanent device compromise, which may require reflashing the operating 520system to repair the device.</p> 521<table> 522 <col width="19%"> 523 <col width="16%"> 524 <col width="10%"> 525 <col width="27%"> 526 <col width="16%"> 527 <tr> 528 <th>CVE</th> 529 <th>Android bugs</th> 530 <th>Severity</th> 531 <th>Updated Nexus devices</th> 532 <th>Date reported</th> 533 </tr> 534 <tr> 535 <td>CVE-2016-2434</td> 536 <td>27251090*</td> 537 <td>Critical</td> 538 <td>Nexus 9</td> 539 <td>Feb 17, 2016</td> 540 </tr> 541 <tr> 542 <td>CVE-2016-2435</td> 543 <td>27297988*</td> 544 <td>Critical</td> 545 <td>Nexus 9</td> 546 <td>Feb 20, 2016</td> 547 </tr> 548 <tr> 549 <td>CVE-2016-2436</td> 550 <td>27299111*</td> 551 <td>Critical</td> 552 <td>Nexus 9</td> 553 <td>Feb 22, 2016</td> 554 </tr> 555 <tr> 556 <td>CVE-2016-2437</td> 557 <td>27436822*</td> 558 <td>Critical</td> 559 <td>Nexus 9</td> 560 <td>Mar 1, 2016</td> 561 </tr> 562</table> 563<p>* The patch for this issue is not in AOSP. The update is contained in the 564latest binary drivers for Nexus devices available from the 565<a href="https://developers.google.com/android/nexus/drivers">Google Developer 566site</a>.</p> 567 568<h3 id=elevation_of_privilege_vulnerability_in_kernel> 569Elevation of Privilege Vulnerability in Kernel</h3> 570 571 572<p>An elevation of privilege vulnerability in the kernel could enable a local 573malicious application to execute arbitrary code within the context of the 574kernel. This issue is rated as Critical severity due to the possibility of a 575local privilege escalation and arbitrary code execution leading to the 576possibility of a local permanent device compromise, which may require 577reflashing the operating system to repair the device. This issue was described 578in <a href="{@docRoot}security/advisory/2016-03-18.html">Android Security Advisory 2016-03-18</a>.</p> 579<table> 580 <col width="19%"> 581 <col width="16%"> 582 <col width="10%"> 583 <col width="27%"> 584 <col width="16%"> 585 <tr> 586 <th>CVE</th> 587 <th>Android bug</th> 588 <th>Severity</th> 589 <th>Updated Nexus devices</th> 590 <th>Date reported</th> 591 </tr> 592 <tr> 593 <td>CVE-2015-1805</td> 594 <td>27275324*</td> 595 <td>Critical</td> 596 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9</td> 597 <td>Feb 19, 2016</td> 598 </tr> 599</table> 600<p>* The patch in AOSP is available for specific kernel versions: 601<a href="https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f">3.14</a>, 602<a href="https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb">3.10</a>, and 603<a href="https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5">3.4</a>.</p> 604 605<h3 id=remote_code_execution_vulnerability_in_kernel> 606Remote Code Execution Vulnerability in Kernel</h3> 607 608 609<p>A remote code execution vulnerability in the audio subsystem could enable a 610local malicious application to execute arbitrary code within the context of the 611kernel. Normally a kernel code execution bug like this would be rated Critical, 612but because it first requires compromising a privileged service in order to 613call the audio subsystem, it is rated High severity.</p> 614<table> 615 <col width="19%"> 616 <col width="16%"> 617 <col width="10%"> 618 <col width="27%"> 619 <col width="16%"> 620 <tr> 621 <th>CVE</th> 622 <th>Android bug</th> 623 <th>Severity</th> 624 <th>Updated Nexus devices</th> 625 <th>Date reported</th> 626 </tr> 627 <tr> 628 <td>CVE-2016-2438</td> 629 <td>26636060*</td> 630 <td>High</td> 631 <td>Nexus 9 </td> 632 <td>Google Internal</td> 633 </tr> 634</table> 635<p>* The patch for this issue is available in 636<a href="https://github.com/torvalds/linux/commit/b5a663aa426f4884c71cd8580adae73f33570f0d"> 637Linux upstream</a>.</p> 638 639<h3 id=information_disclosure_vulnerability_in_qualcomm_tethering_controller> 640Information Disclosure Vulnerability in Qualcomm Tethering Controller</h3> 641 642 643<p>An information disclosure vulnerability in the Qualcomm Tethering controller 644could allow a local malicious application to access personal identifiable 645information without the privileges to do so. This issue is rated as High 646severity because it can be used to gain elevated capabilities, such as 647<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or 648<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 649permissions privileges, which are not accessible to a third-party application.</p> 650<table> 651 <col width="19%"> 652 <col width="16%"> 653 <col width="10%"> 654 <col width="27%"> 655 <col width="16%"> 656 <tr> 657 <th>CVE</th> 658 <th>Android bug</th> 659 <th>Severity</th> 660 <th>Updated Nexus devices</th> 661 <th>Date reported</th> 662 </tr> 663 <tr> 664 <td>CVE-2016-2060</td> 665 <td>27942588*</td> 666 <td>High</td> 667 <td>None</td> 668 <td>Mar 23, 2016</td> 669 </tr> 670</table> 671<p>* The patch for this issue is not in AOSP. The update should be contained in the 672latest drivers of affected devices.</p> 673 674<h3 id=remote_code_execution_vulnerability_in_bluetooth> 675Remote Code Execution Vulnerability in Bluetooth</h3> 676 677 678<p>During pairing of a Bluetooth device, a vulnerability in Bluetooth could allow 679a proximal attacker to execute arbitrary code during the pairing process. This 680issue is rated as High severity due to the possibility of remote code execution 681during the initialization of a Bluetooth device.</p> 682<table> 683 <col width="19%"> 684 <col width="16%"> 685 <col width="10%"> 686 <col width="19%"> 687 <col width="18%"> 688 <col width="16%"> 689 <tr> 690 <th>CVE</th> 691 <th>Android bug</th> 692 <th>Severity</th> 693 <th>Updated Nexus devices</th> 694 <th>Updated AOSP versions</th> 695 <th>Date reported</th> 696 </tr> 697 <tr> 698 <td>CVE-2016-2439</td> 699 <td><a href="https://android.googlesource.com/platform/system/bt/+/9b534de2aca5d790c2a1c4d76b545f16137d95dd"> 700 27411268</a></td> 701 <td>High</td> 702 <td><a href="#nexus_devices">All Nexus</a></td> 703 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 704 <td>Feb 28, 2016</td> 705 </tr> 706</table> 707 708 709<h3 id=elevation_of_privilege_vulnerability_in_binder> 710Elevation of Privilege Vulnerability in Binder</h3> 711 712 713<p>An elevation of privilege vulnerability in Binder could allow a local malicious 714application to execute arbitrary code within the context of another app’s 715process. While freeing memory, a vulnerability in the Binder could allow an 716attacker to cause local code execution. This issue is rated as High severity 717due to the possibility of local code execution during free memory process in 718the Binder.</p> 719<table> 720 <col width="19%"> 721 <col width="16%"> 722 <col width="10%"> 723 <col width="19%"> 724 <col width="18%"> 725 <col width="16%"> 726 <tr> 727 <th>CVE</th> 728 <th>Android bug</th> 729 <th>Severity</th> 730 <th>Updated Nexus devices</th> 731 <th>Updated AOSP versions</th> 732 <th>Date reported</th> 733 </tr> 734 <tr> 735 <td>CVE-2016-2440</td> 736 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/a59b827869a2ea04022dd225007f29af8d61837a"> 737 27252896</a></td> 738 <td>High</td> 739 <td><a href="#nexus_devices">All Nexus</a></td> 740 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 741 <td>Feb 18, 2016</td> 742 </tr> 743</table> 744 745 746<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_buspm_driver> 747Elevation of Privilege Vulnerability in Qualcomm Buspm Driver</h3> 748 749 750<p>An elevation of privilege vulnerability in the Qualcomm buspm driver could 751enable a local malicious application to execute arbitrary code within the 752context of the kernel. Normally a kernel code execution bug like this would be 753rated Critical, but because it first requires compromising a service that can 754call the driver, it is rated as High severity.</p> 755<table> 756 <col width="19%"> 757 <col width="16%"> 758 <col width="10%"> 759 <col width="27%"> 760 <col width="16%"> 761 <tr> 762 <th>CVE</th> 763 <th>Android bugs</th> 764 <th>Severity</th> 765 <th>Updated Nexus devices</th> 766 <th>Date reported</th> 767 </tr> 768 <tr> 769 <td>CVE-2016-2441</td> 770 <td>26354602*</td> 771 <td>High</td> 772 <td>Nexus 5X, Nexus 6, Nexus 6P</td> 773 <td>Dec 30, 2015</td> 774 </tr> 775 <tr> 776 <td>CVE-2016-2442</td> 777 <td>26494907*</td> 778 <td>High</td> 779 <td>Nexus 5X, Nexus 6, Nexus 6P</td> 780 <td>Dec 30, 2015</td> 781 </tr> 782</table> 783<p>* The patch for this issue is not in AOSP. The update is contained in the 784latest binary drivers for Nexus devices available from the 785<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 786 787<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_mdp_driver> 788Elevation of Privilege Vulnerability in Qualcomm MDP Driver</h3> 789 790 791<p>An elevation of privilege vulnerability in the Qualcomm MDP driver could enable 792a local malicious application to execute arbitrary code within the context of 793the kernel. Normally a kernel code execution bug like this would be rated 794Critical, but because it first requires compromising a service that can call 795the driver, it is rated as High severity.</p> 796<table> 797 <col width="19%"> 798 <col width="16%"> 799 <col width="10%"> 800 <col width="27%"> 801 <col width="16%"> 802 <tr> 803 <th>CVE</th> 804 <th>Android bug</th> 805 <th>Severity</th> 806 <th>Updated Nexus devices</th> 807 <th>Date reported</th> 808 </tr> 809 <tr> 810 <td>CVE-2016-2443</td> 811 <td>26404525*</td> 812 <td>High</td> 813 <td>Nexus 5, Nexus 7 (2013)</td> 814 <td>Jan 5, 2016</td> 815 </tr> 816</table> 817<p>* The patch for this issue is not in AOSP. The update is contained in the 818latest binary drivers for Nexus devices available from the 819<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 820 821<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wi-fi_driver> 822Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3> 823 824 825<p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi component could 826enable a local malicious application to invoke system calls changing the device 827settings and behavior without the privileges to do so. This issue is rated as 828High severity because it could be used to gain local access to elevated 829capabilities, such as 830<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or 831<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 832permissions privileges, which are not accessible to a third-party application.</p> 833<table> 834 <col width="19%"> 835 <col width="16%"> 836 <col width="10%"> 837 <col width="27%"> 838 <col width="16%"> 839 <tr> 840 <th>CVE</th> 841 <th>Android bug</th> 842 <th>Severity</th> 843 <th>Updated Nexus devices</th> 844 <th>Date reported</th> 845 </tr> 846 <tr> 847 <td>CVE-2015-0571</td> 848 <td>26763920*</td> 849 <td>High</td> 850 <td>Nexus 5X, Nexus 7 (2013)</td> 851 <td>Jan 25, 2016</td> 852 </tr> 853</table> 854<p>* The patch for this issue is not in AOSP. The update is contained in the 855latest binary drivers for Nexus devices available from the 856<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 857 858<h3 id=elevation_of_privilege_vulnerability_in_nvidia_video_driver> 859Elevation of Privilege Vulnerability in NVIDIA Video Driver</h3> 860 861 862<p>An elevation of privilege vulnerability in the NVIDIA media driver could enable 863a local malicious application to execute arbitrary code within the context of 864the kernel. Normally a kernel code execution bug like this would be rated 865Critical, but because it first requires compromising a high privilege service 866to call the driver, it is rated High severity.</p> 867<table> 868 <col width="19%"> 869 <col width="16%"> 870 <col width="10%"> 871 <col width="27%"> 872 <col width="16%"> 873 <tr> 874 <th>CVE</th> 875 <th>Android bugs</th> 876 <th>Severity</th> 877 <th>Updated Nexus devices</th> 878 <th>Date reported</th> 879 </tr> 880 <tr> 881 <td>CVE-2016-2444</td> 882 <td>27208332*</td> 883 <td>High</td> 884 <td>Nexus 9</td> 885 <td>Feb 16, 2016</td> 886 </tr> 887 <tr> 888 <td>CVE-2016-2445</td> 889 <td>27253079*</td> 890 <td>High</td> 891 <td>Nexus 9</td> 892 <td>Feb 17, 2016</td> 893 </tr> 894 <tr> 895 <td>CVE-2016-2446</td> 896 <td>27441354*</td> 897 <td>High</td> 898 <td>Nexus 9</td> 899 <td>Mar 1, 2016</td> 900 </tr> 901</table> 902<p>* The patch for this issue is not in AOSP. The update is contained in the 903latest binary drivers for Nexus devices available from the 904<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 905 906<h3 id=elevation_of_privilege_vulnerability_in_wi-fi> 907Elevation of Privilege Vulnerability in Wi-Fi</h3> 908 909 910<p>An elevation of privilege vulnerability in Wi-Fi could enable a local malicious 911application to execute arbitrary code within the context of an elevated system 912application. This issue is rated as High severity because it could also be used 913to gain elevated capabilities, such as 914<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or 915<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 916permissions privileges, which are not accessible to third-party applications.</p> 917 918<p><strong>Note</strong>:The CVE number has been updated, per MITRE request, 919from CVE-2016-2447 to CVE-2016-4477.</p> 920 921<table> 922 <col width="19%"> 923 <col width="16%"> 924 <col width="10%"> 925 <col width="19%"> 926 <col width="18%"> 927 <col width="16%"> 928 <tr> 929 <th>CVE</th> 930 <th>Android bug</th> 931 <th>Severity</th> 932 <th>Updated Nexus devices</th> 933 <th>Updated AOSP versions</th> 934 <th>Date reported</th> 935 </tr> 936 <tr> 937 <td>CVE-2016-4477</td> 938 <td><a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/b79e09574e50e168dd5f19d540ae0b9a05bd1535"> 939 27371366</a> 940 [<a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/b845b81ec6d724bd359cdb77f515722dd4066cf8">2</a>] 941 </td> 942 <td>High</td> 943 <td><a href="#nexus_devices">All Nexus</a></td> 944 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 945 <td>Feb 24, 2016</td> 946 </tr> 947</table> 948 949 950<h3 id=elevation_of_privilege_vulnerability_in_mediaserver> 951Elevation of Privilege Vulnerability in Mediaserver</h3> 952 953 954<p>An elevation of privilege vulnerability in mediaserver could enable a local 955malicious application to execute arbitrary code within the context of an 956elevated system application. This issue is rated as High severity because it 957could be used to gain elevated capabilities, such as 958<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or 959<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 960permissions privileges, which are not accessible to a third-party application.</p> 961<table> 962 <col width="19%"> 963 <col width="16%"> 964 <col width="10%"> 965 <col width="19%"> 966 <col width="18%"> 967 <col width="16%"> 968 <tr> 969 <th>CVE</th> 970 <th>Android bugs</th> 971 <th>Severity</th> 972 <th>Updated Nexus devices</th> 973 <th>Updated AOSP versions</th> 974 <th>Date reported</th> 975 </tr> 976 <tr> 977 <td>CVE-2016-2448</td> 978 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/a2d1d85726aa2a3126e9c331a8e00a8c319c9e2b"> 979 27533704</a></td> 980 <td>High</td> 981 <td><a href="#nexus_devices">All Nexus</a></td> 982 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 983 <td>Mar 7, 2016</td> 984 </tr> 985 <tr> 986 <td>CVE-2016-2449</td> 987 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/b04aee833c5cfb6b31b8558350feb14bb1a0f353"> 988 27568958</a></td> 989 <td>High</td> 990 <td><a href="#nexus_devices">All Nexus</a></td> 991 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 992 <td>Mar 9, 2016</td> 993 </tr> 994 <tr> 995 <td>CVE-2016-2450</td> 996 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/7fd96ebfc4c9da496c59d7c45e1f62be178e626d"> 997 27569635</a></td> 998 <td>High</td> 999 <td><a href="#nexus_devices">All Nexus</a></td> 1000 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1001 <td>Mar 9, 2016</td> 1002 </tr> 1003 <tr> 1004 <td>CVE-2016-2451</td> 1005 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f9ed2fe6d61259e779a37d4c2d7edb33a1c1f8ba"> 1006 27597103</a></td> 1007 <td>High</td> 1008 <td><a href="#nexus_devices">All Nexus</a></td> 1009 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1010 <td>Mar 10, 2016</td> 1011 </tr> 1012 <tr> 1013 <td>CVE-2016-2452</td> 1014 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/44749eb4f273f0eb681d0fa013e3beef754fa687"> 1015 27662364</a> 1016 [<a href="https://android.googlesource.com/platform/frameworks/av/+/65756b4082cd79a2d99b2ccb5b392291fd53703f">2</a>] 1017 [<a href="https://android.googlesource.com/platform/frameworks/av/+/daa85dac2055b22dabbb3b4e537597e6ab73a866">3</a>] 1018 </td> 1019 <td>High</td> 1020 <td><a href="#nexus_devices">All Nexus</a></td> 1021 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1022 <td>Mar 14, 2016</td> 1023 </tr> 1024</table> 1025 1026 1027<h3 id=elevation_of_privilege_vulnerability_in_mediatek_wi-fi_driver> 1028Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver</h3> 1029 1030 1031<p>An elevation of privilege vulnerability in the MediaTek Wi-Fi driver could 1032enable a local malicious application to execute arbitrary code within the 1033context of the kernel. Normally a kernel code execution bug like this would be 1034rated Critical, but because it first requires compromising a service that can 1035call the driver, it is rated as High severity.</p> 1036<table> 1037 <col width="19%"> 1038 <col width="16%"> 1039 <col width="10%"> 1040 <col width="27%"> 1041 <col width="16%"> 1042 <tr> 1043 <th>CVE</th> 1044 <th>Android bug</th> 1045 <th>Severity</th> 1046 <th>Updated Nexus devices</th> 1047 <th>Date reported</th> 1048 </tr> 1049 <tr> 1050 <td>CVE-2016-2453</td> 1051 <td>27549705*</td> 1052 <td>High</td> 1053 <td>Android One</td> 1054 <td>Mar 8, 2016</td> 1055 </tr> 1056</table> 1057<p>* The patch for this issue is not in AOSP. The update is contained in the 1058latest binary drivers for Nexus devices available from the 1059<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1060 1061<h3 id=remote_denial_of_service_vulnerability_in_qualcomm_hardware_codec> 1062Remote Denial of Service Vulnerability in Qualcomm Hardware Codec</h3> 1063 1064 1065<p>During media file and data processing of a specially crafted file, a remote 1066denial of service vulnerability in the Qualcomm hardware video codec could 1067allow a remote attacker to block access to an affected device by causing a 1068device reboot. This is rated as High severity due to the possibility of remote 1069denial of service.</p> 1070<table> 1071 <col width="19%"> 1072 <col width="16%"> 1073 <col width="10%"> 1074 <col width="27%"> 1075 <col width="16%"> 1076 <tr> 1077 <th>CVE</th> 1078 <th>Android bug</th> 1079 <th>Severity</th> 1080 <th>Updated Nexus devices</th> 1081 <th>Date reported</th> 1082 </tr> 1083 <tr> 1084 <td>CVE-2016-2454</td> 1085 <td>26221024*</td> 1086 <td>High</td> 1087 <td>Nexus 5</td> 1088 <td>Dec 16, 2015</td> 1089 </tr> 1090</table> 1091<p>* The patch for this issue is not in AOSP. The update is contained in the 1092latest binary drivers for Nexus devices available from the 1093<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1094 1095<h3 id=elevation_of_privilege_vulnerability_in_conscrypt> 1096Elevation of Privilege Vulnerability in Conscrypt</h3> 1097 1098 1099<p>An elevation of privilege vulnerability in Conscrypt could allow an local 1100application to believe a message was authenticated when it was not. This issue 1101is rated as Moderate severity because it requires coordinated steps across 1102multiple devices.</p> 1103<table> 1104 <col width="19%"> 1105 <col width="16%"> 1106 <col width="10%"> 1107 <col width="19%"> 1108 <col width="18%"> 1109 <col width="16%"> 1110 <tr> 1111 <th>CVE</th> 1112 <th>Android bugs</th> 1113 <th>Severity</th> 1114 <th>Updated Nexus devices</th> 1115 <th>Updated AOSP versions</th> 1116 <th>Date reported</th> 1117 </tr> 1118 <tr> 1119 <td>CVE-2016-2461</td> 1120 <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/50d0447566db4a77d78d592f1c1b5d31096fac8f"> 1121 27324690</a> 1122 [<a href="https://android.googlesource.com/platform/external/conscrypt/+/1638945d4ed9403790962ec7abed1b7a232a9ff8">2</a>] 1123 </td> 1124 <td>Moderate</td> 1125 <td><a href="#nexus_devices">All Nexus</a></td> 1126 <td>6.0, 6.0.1</td> 1127 <td>Google Internal</td> 1128 </tr> 1129 <tr> 1130 <td>CVE-2016-2462</td> 1131 <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/8bec47d2184fca7e8b7337d2a65b2b75a9bc8f54"> 1132 27371173</a></td> 1133 <td>Moderate</td> 1134 <td><a href="#nexus_devices">All Nexus</a></td> 1135 <td>6.0, 6.0.1</td> 1136 <td>Google Internal</td> 1137 </tr> 1138</table> 1139 1140 1141<h3 id=elevation_of_privilege_vulnerability_in_openssl_&_boringssl> 1142Elevation of Privilege Vulnerability in OpenSSL & BoringSSL</h3> 1143 1144 1145<p>An elevation of privilege vulnerability in OpenSSL and BoringSSL could enable a 1146local malicious application to access data outside of its permission levels. 1147Normally this would be rated High, but because it requires an uncommon manual 1148configuration, it is rated as Moderate severity.</p> 1149<table> 1150 <col width="19%"> 1151 <col width="16%"> 1152 <col width="10%"> 1153 <col width="19%"> 1154 <col width="18%"> 1155 <col width="16%"> 1156 <tr> 1157 <th>CVE</th> 1158 <th>Android bug</th> 1159 <th>Severity</th> 1160 <th>Updated Nexus devices</th> 1161 <th>Updated AOSP versions</th> 1162 <th>Date reported</th> 1163 </tr> 1164 <tr> 1165 <td>CVE-2016-0705</td> 1166 <td><a href="https://android.googlesource.com/platform/external/boringssl/+/591be84e89682622957c8f103ca4be3a5ed0f800"> 1167 27449871</a></td> 1168 <td>Moderate</td> 1169 <td><a href="#nexus_devices">All Nexus</a></td> 1170 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1171 <td>Feb 7, 2016</td> 1172 </tr> 1173</table> 1174 1175 1176<h3 id=elevation_of_privilege_vulnerability_in_mediatek_wi-fi_driver> 1177Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver</h3> 1178 1179 1180<p>An elevation of privilege vulnerability in MediaTek Wi-Fi driver could enable a 1181local malicious application to cause a denial of service. Normally an elevation 1182of privilege bug like this would be rated High, but because it requires first 1183compromising a system service, it is rated as Moderate severity.</p> 1184<table> 1185 <col width="19%"> 1186 <col width="16%"> 1187 <col width="10%"> 1188 <col width="27%"> 1189 <col width="16%"> 1190 <tr> 1191 <th>CVE</th> 1192 <th>Android bug</th> 1193 <th>Severity</th> 1194 <th>Updated Nexus devices</th> 1195 <th>Date reported</th> 1196 </tr> 1197 <tr> 1198 <td>CVE-2016-2456</td> 1199 <td>27275187*</td> 1200 <td>Moderate</td> 1201 <td>Android One</td> 1202 <td>Feb 19, 2016</td> 1203 </tr> 1204</table> 1205<p>* The patch for this issue is not in AOSP. The update is contained in the 1206latest binary drivers for Nexus devices available from the 1207<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1208 1209<h3 id=elevation_of_privilege_vulnerability_in_wi-fi> 1210Elevation of Privilege Vulnerability in Wi-Fi</h3> 1211 1212 1213<p>An elevation of privilege vulnerability in Wi-Fi could enable a guest account 1214to modify the Wi-Fi settings that persist for the primary user. This issue is 1215rated as Moderate severity because it enables local access to " 1216<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel"> 1217dangerous</a>" capabilities without permission.</p> 1218<table> 1219 <col width="19%"> 1220 <col width="16%"> 1221 <col width="10%"> 1222 <col width="19%"> 1223 <col width="18%"> 1224 <col width="16%"> 1225 <tr> 1226 <th>CVE</th> 1227 <th>Android bug</th> 1228 <th>Severity</th> 1229 <th>Updated Nexus devices</th> 1230 <th>Updated AOSP versions</th> 1231 <th>Date reported</th> 1232 </tr> 1233 <tr> 1234 <td>CVE-2016-2457</td> 1235 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/12332e05f632794e18ea8c4ac52c98e82532e5db"> 1236 27411179</a></td> 1237 <td>Moderate</td> 1238 <td><a href="#nexus_devices">All Nexus</a></td> 1239 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 1240 <td>Feb 29, 2016</td> 1241 </tr> 1242</table> 1243 1244 1245<h3 id=information_disclosure_vulnerability_in_aosp_mail> 1246Information Disclosure Vulnerability in AOSP Mail</h3> 1247 1248 1249<p>An information disclosure vulnerability in AOSP Mail could enable a local 1250malicious application to gain access to user’s private information. This issue 1251is rated Moderate severity because it could be used to improperly access data 1252without permission.</p> 1253<table> 1254 <col width="19%"> 1255 <col width="16%"> 1256 <col width="10%"> 1257 <col width="19%"> 1258 <col width="18%"> 1259 <col width="16%"> 1260 <tr> 1261 <th>CVE</th> 1262 <th>Android bug</th> 1263 <th>Severity</th> 1264 <th>Updated Nexus devices</th> 1265 <th>Updated AOSP versions</th> 1266 <th>Date reported</th> 1267 </tr> 1268 <tr> 1269 <td>CVE-2016-2458</td> 1270 <td><a href="https://android.googlesource.com/platform/packages/apps/UnifiedEmail/+/a55168330d9326ff2120285763c818733590266a"> 1271 27335139</a> 1272 [<a href="https://android.googlesource.com/platform/packages/apps/Email/+/2791f0b33b610247ef87278862e66c6045f89693">2</a>] 1273 </td> 1274 <td>Moderate</td> 1275 <td><a href="#nexus_devices">All Nexus</a></td> 1276 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 1277 <td>Feb 23, 2016</td> 1278 </tr> 1279</table> 1280 1281 1282<h3 id=information_disclosure_vulnerability_in_mediaserver> 1283Information Disclosure Vulnerability in Mediaserver</h3> 1284 1285 1286<p>An information disclosure vulnerability in Mediaserver could allow an 1287application to access sensitive information. This issue is rated as Moderate 1288severity because it could be used to improperly access data without permission.</p> 1289<table> 1290 <col width="19%"> 1291 <col width="16%"> 1292 <col width="10%"> 1293 <col width="19%"> 1294 <col width="18%"> 1295 <col width="16%"> 1296 <tr> 1297 <th>CVE</th> 1298 <th>Android bugs</th> 1299 <th>Severity</th> 1300 <th>Updated Nexus devices</th> 1301 <th>Updated AOSP versions</th> 1302 <th>Date reported</th> 1303 </tr> 1304 <tr> 1305 <td>CVE-2016-2459</td> 1306 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/a30d7d90c4f718e46fb41a99b3d52800e1011b73"> 1307 27556038</a></td> 1308 <td>Moderate</td> 1309 <td><a href="#nexus_devices">All Nexus</a></td> 1310 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1311 <td>Mar 7, 2016</td> 1312 </tr> 1313 <tr> 1314 <td>CVE-2016-2460</td> 1315 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/a30d7d90c4f718e46fb41a99b3d52800e1011b73"> 1316 27555981</a></td> 1317 <td>Moderate</td> 1318 <td><a href="#nexus_devices">All Nexus</a></td> 1319 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1320 <td>Mar 7, 2016</td> 1321 </tr> 1322</table> 1323 1324 1325<h3 id=denial_of_service_vulnerability_in_kernel> 1326Denial of Service Vulnerability in Kernel</h3> 1327 1328 1329<p>A denial of service vulnerability in the kernel could allow a local malicious 1330application to cause a device reboot. This issue is rated as Low severity 1331because the effect is a temporary denial of service.</p> 1332<table> 1333 <col width="19%"> 1334 <col width="16%"> 1335 <col width="10%"> 1336 <col width="27%"> 1337 <col width="16%"> 1338 <tr> 1339 <th>CVE</th> 1340 <th>Android bug</th> 1341 <th>Severity</th> 1342 <th>Updated Nexus devices</th> 1343 <th>Date reported</th> 1344 </tr> 1345 <tr> 1346 <td>CVE-2016-0774</td> 1347 <td>27721803*</td> 1348 <td>Low</td> 1349 <td><a href="#nexus_devices">All Nexus</a></td> 1350 <td>Mar 17, 2016</td> 1351 </tr> 1352</table> 1353<p>* The patch for this issue is available in 1354<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/fs/pipe.c?id=b381fbc509052d07ccf8641fd7560a25d46aaf1e"> 1355Linux upstream</a>.</p> 1356 1357<h2 id=common_questions_and_answers>Common Questions and Answers</h2> 1358 1359 1360<p>This section reviews answers to common questions that may occur after reading 1361this bulletin.</p> 1362 1363<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 1364 1365<p>Security Patch Levels of May 01, 2016 or later address these issues (refer to 1366the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> 1367for instructions on how to check the security patch level). Device 1368manufacturers that include these updates should set the patch string level to: 1369[ro.build.version.security_patch]:[2016-05-01]</p> 1370 1371<p id="nexus_devices"><strong>2. How do I determine which Nexus devices are affected 1372by each issue?</strong></p> 1373 1374<p>In the <a href="security_vulnerability_details">Security Vulnerability Details</a> 1375section, each table has an Updated Nexus devices column that covers the range 1376of affected Nexus devices updated for each issue. This column has a few 1377options:</p> 1378 1379<ul> 1380 <li> <strong>All Nexus devices</strong>: If an issue affects all Nexus devices, 1381 the table will have All Nexus in the <em>Updated Nexus devices</em> column. 1382 All Nexus encapsulates the following 1383 <a href="https://support.google.com/nexus/answer/4457705#nexus_devices"> 1384 supported devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), 1385 Nexus 9, Android One, Nexus Player, and Pixel C. 1386 <li> <strong>Some Nexus devices</strong>: If an issue doesn’t affect all Nexus 1387 devices, the affected Nexus devices are listed in the <em>Updated Nexus 1388 devices</em> column.</li> 1389 <li> <strong>No Nexus devices</strong>: If no Nexus devices are affected by the 1390 issue, the table will have “None” in the <em>Updated Nexus devices</em> column.</li> 1391</ul> 1392 1393<p><strong>3. Why is CVE-2015-1805 included in this bulletin?</strong></p> 1394<p>CVE-2015-1805 is included in this bulletin because the <a href="{@docRoot}security/advisory/2016-03-18.html"> 1395Android Security Advisory—2016-03-18</a> was published very close to the release of 1396the April bulletin. Due to the tight timeline, device manufacturers were given the 1397option to ship fixes from the <a href="2016-04-02.html">Nexus Security Bulletin—April 2016</a>, 1398without the fix for CVE-2015-1805, if they used the April 01, 2016 Security Patch Level. 1399It is included again in this bulletin as it must be fixed in order to use the the 1400May 01, 2016 Security Patch Level.</p> 1401<h2 id=revisions>Revisions</h2> 1402 1403 1404<ul> 1405 <li> May 02, 2016: Bulletin published.</li> 1406 <li> May 04, 2016: 1407 <ul> 1408 <li> Bulletin revised to include AOSP links. 1409 <li> List of all Nexus devices updated to include Nexus Player and Pixel C. 1410 <li> CVE-2016-2447 updated to CVE-2016-4477, per MITRE request. 1411 </ul> 1412 </li> 1413</ul> 1414