1page.title=Android Security Bulletin—July 2016 2@jd:body 3 4<!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18--> 19 20<p><em>Published July 06, 2016 | Updated July 14, 2016</em></p> 21<p>The Android Security Bulletin contains details of security vulnerabilities 22affecting Android devices. Alongside the bulletin, we have released a security 23update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware 24images have also been released to the <a 25href="https://developers.google.com/android/nexus/images">Google Developer 26site</a>. Security patch levels of July 05, 2016 or later address all applicable 27issues in this bulletin. Refer to the <a 28href="https://support.google.com/nexus/answer/4457705#nexus_devices">documentation</a> 29to learn how to check the security patch level.</p> 30<p> 31Partners were notified about the issues described in the bulletin on June 06, 322016 or earlier. Where applicable, source code patches for these issues have 33been released to the Android Open Source Project (AOSP) repository. 34This bulletin also includes links to patches outside of AOSP.</p> 35 36<p>The most severe of these issues is a Critical security vulnerability that could 37enable remote code execution on an affected device through multiple methods such 38as email, web browsing, and MMS when processing media files.</p> 39<p>We have had no reports of active customer exploitation or abuse of these newly 40reported issues. Refer to the <a href="#mitigations">Android and Google service mitigations</a> 41section for details on the 42<a href="{@docRoot}security/enhancements/index.html">Android 43security platform protections</a> and service protections such as SafetyNet, 44which improve the security of the Android platform.</p> 45<p>We encourage all customers to accept these updates to their devices.</p> 46<h2 id="announcements">Announcements</h2> 47<ul> 48 <li>This bulletin defines two security patch level strings to provide Android 49 partners with the flexibility to move more quickly to fix a subset of 50 vulnerabilities that are similar across all Android devices. See 51 <a href="#common-questions-and-answers">Common questions and answers</a> 52 for additional information: 53 <ul> 54 <li><strong>2016-07-01</strong>: Partial security patch level string. This 55 security patch level string indicates that all issues associated with 56 2016-07-01 are addressed. 57 <li><strong>2016-07-05</strong>: Complete security patch level string. This 58 security patch level string indicates that all issues associated with 59 2016-07-01 and 2016-07-05 are addressed.</li> 60 </ul> 61 </li> 62 <li>Supported Nexus devices will be receiving a single OTA update with the 63 July 05, 2016 security patch level.</li> 64 </ul> 65<h2 id="security_vulnerability_summary">Security vulnerability summary</h2> 66<p>The tables below contain a list of security vulnerabilities, the Common 67Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not 68Nexus devices are affected. The <a 69href="{@docRoot}security/overview/updates-resources.html#severity">severity 70assessment</a> is based on the effect that exploiting the vulnerability would 71possibly have on an affected device, assuming the platform and service 72mitigations are disabled for development purposes or if successfully bypassed.</p> 73 74<h3 id="2016-07-01_summary">2016-07-01 security patch level—Vulnerability summary</h3> 75<p> 76Security patch levels of 2016-07-01 or later must address the following issues.</p> 77 78<table> 79 <col width="55%"> 80 <col width="20%"> 81 <col width="13%"> 82 <col width="12%"> 83 <tr> 84 <th>Issue</th> 85 <th>CVE</th> 86 <th>Severity</th> 87 <th>Affects Nexus?</th> 88 </tr> 89 <tr> 90 <td>Remote code execution vulnerability in Mediaserver</td> 91 <td>CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, 92 CVE-2016-3741, CVE-2016-3742, CVE-2016-3743</td> 93 <td>Critical</td> 94 <td>Yes</td> 95 </tr> 96 <tr> 97 <td>Remote code execution vulnerability in OpenSSL & BoringSSL</td> 98 <td>CVE-2016-2108</td> 99 <td>Critical</td> 100 <td>Yes</td> 101 </tr> 102 <tr> 103 <td>Remote code execution vulnerability in Bluetooth</td> 104 <td>CVE-2016-3744</td> 105 <td>High</td> 106 <td>Yes</td> 107 </tr> 108 <tr> 109 <td>Elevation of privilege vulnerability in libpng</td> 110 <td>CVE-2016-3751</td> 111 <td>High</td> 112 <td>Yes</td> 113 </tr> 114 <tr> 115 <td>Elevation of privilege vulnerability in Mediaserver</td> 116 <td>CVE-2016-3745, CVE-2016-3746, CVE-2016-3747</td> 117 <td>High</td> 118 <td>Yes</td> 119 </tr> 120 <tr> 121 <td>Elevation of privilege vulnerability in sockets</td> 122 <td>CVE-2016-3748</td> 123 <td>High</td> 124 <td>Yes</td> 125 </tr> 126 <tr> 127 <td>Elevation of privilege vulnerability in LockSettingsService</td> 128 <td>CVE-2016-3749</td> 129 <td>High</td> 130 <td>Yes</td> 131 </tr> 132 <tr> 133 <td>Elevation of privilege vulnerability in Framework APIs</td> 134 <td>CVE-2016-3750</td> 135 <td>High</td> 136 <td>Yes</td> 137 </tr> 138 <tr> 139 <td>Elevation of privilege vulnerability in ChooserTarget service</td> 140 <td>CVE-2016-3752</td> 141 <td>High</td> 142 <td>Yes</td> 143 </tr> 144 <tr> 145 <td>Information disclosure vulnerability in Mediaserver</td> 146 <td>CVE-2016-3753</td> 147 <td>High</td> 148 <td>No*</td> 149 </tr> 150 <tr> 151 <td>Information disclosure vulnerability in OpenSSL</td> 152 <td>CVE-2016-2107</td> 153 <td>High</td> 154 <td>No*</td> 155 </tr> 156 <tr> 157 <td>Denial of service vulnerability in Mediaserver</td> 158 <td>CVE-2016-3754, CVE-2016-3755, CVE-2016-3756</td> 159 <td>High</td> 160 <td>Yes</td> 161 </tr> 162 <tr> 163 <td>Denial of service vulnerability in libc</td> 164 <td>CVE-2016-3818</td> 165 <td>High</td> 166 <td>No*</td> 167 </tr> 168 <tr> 169 <td>Elevation of privilege vulnerability in lsof</td> 170 <td>CVE-2016-3757</td> 171 <td>Moderate</td> 172 <td>Yes</td> 173 </tr> 174 <tr> 175 <td>Elevation of privilege vulnerability in DexClassLoader</td> 176 <td>CVE-2016-3758</td> 177 <td>Moderate</td> 178 <td>Yes</td> 179 </tr> 180 <tr> 181 <td>Elevation of privilege vulnerability in Framework APIs</td> 182 <td>CVE-2016-3759</td> 183 <td>Moderate</td> 184 <td>Yes</td> 185 </tr> 186 <tr> 187 <td>Elevation of privilege vulnerability in Bluetooth</td> 188 <td>CVE-2016-3760</td> 189 <td>Moderate</td> 190 <td>Yes</td> 191 </tr> 192 <tr> 193 <td>Elevation of privilege vulnerability in NFC</td> 194 <td>CVE-2016-3761</td> 195 <td>Moderate</td> 196 <td>Yes</td> 197 </tr> 198 <tr> 199 <td>Elevation of privilege vulnerability in sockets</td> 200 <td>CVE-2016-3762</td> 201 <td>Moderate</td> 202 <td>Yes</td> 203 </tr> 204 <tr> 205 <td>Information disclosure vulnerability in Proxy Auto-Config</td> 206 <td>CVE-2016-3763</td> 207 <td>Moderate</td> 208 <td>Yes</td> 209 </tr> 210 <tr> 211 <td>Information disclosure vulnerability in Mediaserver</td> 212 <td>CVE-2016-3764, CVE-2016-3765</td> 213 <td>Moderate</td> 214 <td>Yes</td> 215 </tr> 216 <tr> 217 <td>Denial of service vulnerability in Mediaserver</td> 218 <td>CVE-2016-3766</td> 219 <td>Moderate</td> 220 <td>Yes</td> 221 </tr> 222</table> 223<p>* Supported Nexus devices that have installed all available updates are not 224affected by this vulnerability.</p> 225 226 227<h3 id="2016-07-05_summary">2016-07-05 security patch level—Vulnerability summary</h3> 228<p> 229Security patch levels of 2016-07-05 or later must address all of the 2016-07-01 230issues as well as the following issues.</p> 231 232<table> 233 <col width="55%"> 234 <col width="20%"> 235 <col width="13%"> 236 <col width="12%"> 237 <tr> 238 <th>Issue</th> 239 <th>CVE</th> 240 <th>Severity</th> 241 <th>Affects Nexus?</th> 242 </tr> 243 <tr> 244 <td>Elevation of privilege vulnerability in Qualcomm GPU driver (Device 245 specific)</td> 246 <td>CVE-2016-2503, CVE-2016-2067</td> 247 <td>Critical</td> 248 <td>Yes</td> 249 </tr> 250 <tr> 251 <td>Elevation of privilege vulnerability in MediaTek Wi-Fi driver (Device 252 specific)</td> 253 <td>CVE-2016-3767</td> 254 <td>Critical</td> 255 <td>Yes</td> 256 </tr> 257 <tr> 258 <td>Elevation of privilege vulnerability in Qualcomm performance component 259 (Device specific)</td> 260 <td>CVE-2016-3768</td> 261 <td>Critical</td> 262 <td>Yes</td> 263 </tr> 264 <tr> 265 <td>Elevation of privilege vulnerability in NVIDIA video driver (Device 266 specific)</td> 267 <td>CVE-2016-3769</td> 268 <td>Critical</td> 269 <td>Yes</td> 270 </tr> 271 <tr> 272 <td>Elevation of privilege vulnerability in MediaTek drivers (Device 273 specific)</td> 274 <td>CVE-2016-3770, CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, 275 CVE-2016-3774</td> 276 <td>Critical</td> 277 <td>Yes</td> 278 </tr> 279 <tr> 280 <td>Elevation of privilege vulnerability in kernel file system (Device 281 specific)</td> 282 <td>CVE-2016-3775</td> 283 <td>Critical</td> 284 <td>Yes</td> 285 </tr> 286 <tr> 287 <td>Elevation of privilege vulnerability in USB driver (Device specific)</td> 288 <td>CVE-2015-8816</td> 289 <td>Critical</td> 290 <td>Yes</td> 291 </tr> 292 <tr> 293 <td>Elevation of privilege vulnerability in Qualcomm components (Device 294 specific)</td> 295 <td>CVE-2014-9794, CVE-2014-9795, CVE-2015-8892, CVE-2013-7457, CVE-2014-9781, 296 CVE-2014-9786, CVE-2014-9788, CVE-2014-9779, CVE-2014-9780, CVE-2014-9789, 297 CVE-2014-9793, CVE-2014-9782, CVE-2014-9783, CVE-2014-9785, CVE-2014-9787, 298 CVE-2014-9784, CVE-2014-9777, CVE-2014-9778, CVE-2014-9790, CVE-2014-9792, 299 CVE-2014-9797, CVE-2014-9791, CVE-2014-9796, CVE-2014-9800, CVE-2014-9799, 300 CVE-2014-9801, CVE-2014-9802, CVE-2015-8891, CVE-2015-8888, CVE-2015-8889, 301 CVE-2015-8890</td> 302 <td>High</td> 303 <td>Yes</td> 304 </tr> 305 <tr> 306 <td>Elevation of privilege vulnerability in Qualcomm USB driver (Device 307 specific)</td> 308 <td>CVE-2016-2502</td> 309 <td>High</td> 310 <td>Yes</td> 311 </tr> 312 <tr> 313 <td>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device 314 specific)</td> 315 <td>CVE-2016-3792</td> 316 <td>High</td> 317 <td>Yes</td> 318 </tr> 319 <tr> 320 <td>Elevation of privilege vulnerability in Qualcomm camera driver (Device 321 specific)</td> 322 <td>CVE-2016-2501</td> 323 <td>High</td> 324 <td>Yes</td> 325 </tr> 326 <tr> 327 <td>Elevation of privilege vulnerability in NVIDIA camera driver (Device 328 specific)</td> 329 <td>CVE-2016-3793</td> 330 <td>High</td> 331 <td>Yes</td> 332 </tr> 333 <tr> 334 <td>Elevation of privilege vulnerability in MediaTek power driver (Device 335 specific)</td> 336 <td>CVE-2016-3795, CVE-2016-3796</td> 337 <td>High</td> 338 <td>Yes</td> 339 </tr> 340 <tr> 341 <td>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device 342 specific)</td> 343 <td>CVE-2016-3797</td> 344 <td>High</td> 345 <td>Yes</td> 346 </tr> 347 <tr> 348 <td>Elevation of privilege vulnerability in MediaTek hardware sensor driver 349 (Device specific)</td> 350 <td>CVE-2016-3798</td> 351 <td>High</td> 352 <td>Yes</td> 353 </tr> 354 <tr> 355 <td>Elevation of privilege vulnerability in MediaTek video driver (Device 356 specific)</td> 357 <td>CVE-2016-3799, CVE-2016-3800</td> 358 <td>High</td> 359 <td>Yes</td> 360 </tr> 361 <tr> 362 <td>Elevation of privilege vulnerability in MediaTek GPS driver (Device 363 specific)</td> 364 <td>CVE-2016-3801</td> 365 <td>High</td> 366 <td>Yes</td> 367 </tr> 368 <tr> 369 <td>Elevation of privilege vulnerability in kernel file system (Device 370 specific)</td> 371 <td>CVE-2016-3802, CVE-2016-3803</td> 372 <td>High</td> 373 <td>Yes</td> 374 </tr> 375 <tr> 376 <td>Elevation of privilege vulnerability in MediaTek power management 377 driver (Device specific)</td> 378 <td>CVE-2016-3804, CVE-2016-3805</td> 379 <td>High</td> 380 <td>Yes</td> 381 </tr> 382 <tr> 383 <td>Elevation of privilege vulnerability in MediaTek display driver (Device 384 specific)</td> 385 <td>CVE-2016-3806</td> 386 <td>High</td> 387 <td>Yes</td> 388 </tr> 389 <tr> 390 <td>Elevation of privilege vulnerability in serial peripheral interface 391 driver (Device specific)</td> 392 <td>CVE-2016-3807, CVE-2016-3808</td> 393 <td>High</td> 394 <td>Yes</td> 395 </tr> 396 <tr> 397 <td>Elevation of privilege vulnerability in Qualcomm sound driver (Device 398 specific)</td> 399 <td>CVE-2016-2068</td> 400 <td>High</td> 401 <td>Yes</td> 402 </tr> 403 <tr> 404 <td>Elevation of privilege vulnerability in kernel (Device specific)</td> 405 <td>CVE-2014-9803</td> 406 <td>High</td> 407 <td>Yes</td> 408 </tr> 409 <tr> 410 <td>Information disclosure vulnerability in networking component (Device 411 specific)</td> 412 <td>CVE-2016-3809</td> 413 <td>High</td> 414 <td>Yes</td> 415 </tr> 416 <tr> 417 <td>Information disclosure vulnerability in MediaTek Wi-Fi driver (Device 418 specific)</td> 419 <td>CVE-2016-3810</td> 420 <td>High</td> 421 <td>Yes</td> 422 </tr> 423 <tr> 424 <td>Elevation of privilege vulnerability in kernel video driver (Device 425 specific)</td> 426 <td>CVE-2016-3811</td> 427 <td>Moderate</td> 428 <td>Yes</td> 429 </tr> 430 <tr> 431 <td>Information disclosure vulnerability in MediaTek video codec driver 432 (Device specific)</td> 433 <td>CVE-2016-3812</td> 434 <td>Moderate</td> 435 <td>Yes</td> 436 </tr> 437 <tr> 438 <td>Information disclosure vulnerability in Qualcomm USB driver (Device 439 specific)</td> 440 <td>CVE-2016-3813</td> 441 <td>Moderate</td> 442 <td>Yes</td> 443 </tr> 444 <tr> 445 <td>Information disclosure vulnerability in NVIDIA camera driver (Device 446 specific)</td> 447 <td>CVE-2016-3814, CVE-2016-3815</td> 448 <td>Moderate</td> 449 <td>Yes</td> 450 </tr> 451 <tr> 452 <td>Information disclosure vulnerability in MediaTek display driver (Device 453 specific)</td> 454 <td>CVE-2016-3816</td> 455 <td>Moderate</td> 456 <td>Yes</td> 457 </tr> 458 <tr> 459 <td>Information disclosure vulnerability in kernel teletype driver (Device 460 specific)</td> 461 <td>CVE-2016-0723</td> 462 <td>Moderate</td> 463 <td>Yes</td> 464 </tr> 465 <tr> 466 <td>Denial of service vulnerability in Qualcomm bootloader (Device 467 specific)</td> 468 <td>CVE-2014-9798, CVE-2015-8893</td> 469 <td>Moderate</td> 470 <td>Yes</td> 471 </tr> 472</table> 473 474<h2 id="mitigations">Android and Google service mitigations</h2> 475<p>This is a summary of the mitigations provided by the <a 476href="{@docRoot}security/enhancements/index.html">Android 477security platform</a> and service protections such as SafetyNet. These 478capabilities reduce the likelihood that security vulnerabilities could be 479successfully exploited on Android.</p> 480<ul> 481 <li>Exploitation for many issues on Android is made more difficult by 482 enhancements in newer versions of the Android platform. We encourage all users 483 to update to the latest version of Android where possible.</li> 484 <li>The Android Security team actively monitors for abuse with 485 <a href="{@docRoot}security/reports/Google_Android_Security_2015_Report_Final.pdf"> 486 Verify Apps and SafetyNet</a>, which are designed to warn users about 487 <a href="{@docRoot}security/reports/Google_Android_Security_PHA_classifications.pdf"> 488 Potentially Harmful Applications</a>. Verify Apps is enabled by default on devices with 489 <a href="http://www.android.com/gms">Google Mobile Services</a>, and is especially 490 important for users who install applications from outside of Google Play. Device 491 rooting tools are prohibited within Google Play, but Verify Apps warns users 492 when they attempt to install a detected rooting application—no matter where it 493 comes from. Additionally, Verify Apps attempts to identify and block 494 installation of known malicious applications that exploit a privilege escalation 495 vulnerability. If such an application has already been installed, Verify Apps 496 will notify the user and attempt to remove the detected application.</li> 497 <li>As appropriate, Google Hangouts and Messenger applications do not 498 automatically pass media to processes such as Mediaserver.</li> 499</ul> 500 501<h2 id="acknowledgements">Acknowledgements</h2> 502<p>We would like to thank these researchers for their contributions:</p> 503<ul> 504 <li>Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 505 Team: CVE-2016-3756, CVE-2016-3741, CVE-2016-3743, CVE-2016-3742 506 <li>Adam Donenfeld et al. of Check Point Software Technologies Ltd.: CVE-2016-2503 507 <li>Adam Powell of Google: CVE-2016-3752 508 <li>Alex Chapman and Paul Stone of Context Information Security: CVE-2016-3763 509 <li>Andy Tyler (<a href="https://twitter.com/ticarpi">@ticarpi</a>) of 510 <a href="https://www.e2e-assure.com/">e2e-assure</a>: CVE-2016-2457 511 <li>Ben Hawkes of Google Project Zero: CVE-2016-3775 512 <li>Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), 513 Yuan-Tsung Lo (<a href="mailto:computernik@gmail.com">computernik@gmail.com</a>), 514 and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3770, 515 CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, CVE-2016-3774 516 <li>Christopher Tate of Google: CVE-2016-3759 517 <li>Di Shen (<a href="https://twitter.com/returnsme">@returnsme</a>) of KeenLab 518 (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-3762 519 <li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>), 520 pjf (<a href="http://weibo.com/jfpan">weibo.com/jfpan</a>) of IceSword Lab, 521 <a href="http://www.360.com">Qihoo 360 Technology Co. Ltd.</a>: CVE-2016-3806, 522 CVE-2016-3816, CVE-2016-3805, CVE-2016-3804, CVE-2016-3767, CVE-2016-3810, 523 CVE-2016-3795, CVE-2016-3796 524 <li>Greg Kaiser of Google Android Team: CVE-2016-3758 525 <li>Guang Gong (龚广) (<a href="https://twitter.com/oldfresher">@oldfresher</a>) 526 of Mobile Safe Team, <a href="http://www.360.com">Qihoo 360 Technology Co. 527 Ltd</a>.: CVE-2016-3764 528 <li>Hao Chen and Guang Gong of Alpha Team, <a href="http://www.360.com"> 529 Qihoo 360 Technology Co. Ltd</a>.: CVE-2016-3792, CVE-2016-3768 530 <li>Hao Qin of Security Research Lab, <a href="http://www.cmcm.com">Cheetah 531 Mobile</a>: CVE-2016-3754, CVE-2016-3766 532 <li>Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) 533 and pjf (<a href="http://weibo.com/jfpan">weibo.com/jfpan</a>) of IceSword Lab, 534 <a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>: CVE-2016-3814, 535 CVE-2016-3802, CVE-2016-3769, CVE-2016-3807, CVE-2016-3808 536 <li>Marco Nelissen of Google: CVE-2016-3818 537 <li>Mark Brand of Google Project Zero: CVE-2016-3757 538 <li><a href="https://github.com/michalbednarski">Michał Bednarski</a>: CVE-2016-3750 539 <li>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), 540 Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and 541 Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3747, 542 CVE-2016-3746, CVE-2016-3765 543 <li>Peng Xiao, Chengming Yang, Ning You, Chao Yang, and Yang Ssong of Alibaba 544 Mobile Security Group: CVE-2016-3800, CVE-2016-3799, CVE-2016-3801, 545 CVE-2016-3812, CVE-2016-3798 546 <li>Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>) of Trend 547 Micro: CVE-2016-3793 548 <li>Ricky Wai of Google: CVE-2016-3749 549 <li>Roeland Krak: CVE-2016-3753 550 <li>Scott Bauer (<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): 551 CVE-2016-3797, CVE-2016-3813, CVE-2016-3815, CVE-2016-2501, CVE-2016-2502 552 <li>Vasily Vasilev: CVE-2016-2507 553 <li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of 554 Alibaba Inc.: CVE-2016-2508, CVE-2016-3755 555 <li>Wen Niu (<a href="https://twitter.com/NWMonster">@NWMonster</a>) of KeenLab 556 (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-3809 557 <li>Xiling Gong of Tencent Security Platform Department: CVE-2016-3745 558 <li>Yacong Gu of TCA Lab, Institute of Software, Chinese Academy of Sciences: 559 CVE-2016-3761 560 <li>Yongke Wang (<a href="https://twitter.com/Rudykewang">@Rudykewang</a>) of 561 Xuanwu LAB, Tencent: CVE-2016-2505 562 <li>Yongke Wang (<a href="https://twitter.com/Rudykewang">@Rudykewang</a>) and 563 Wei Wei (<a href="https://twitter.com/Danny__Wei">@Danny__Wei</a>) of Xuanwu 564 LAB, Tencent: CVE-2016-2506 565 <li>Yulong Zhang and Tao (Lenx) Wei of Baidu X-Lab: CVE-2016-3744</li> 566</ul> 567 568<h2 id="2016-07-01_details">2016-07-01 security patch level—Security vulnerability details</h2> 569<p>In the sections below, we provide details for each of the security 570vulnerabilities listed in the <a href="#2016-07-01_summary">2016-07-01 security patch level—Vulnerability 571summary</a> above. There is a description of the issue, a severity rationale, and a 572table with the CVE, associated references, severity, updated Nexus devices, 573updated AOSP versions (where applicable), and date reported. When available, we 574will link the public change that addressed the issue to the bug ID, like the 575AOSP change list. When multiple changes relate to a single bug, additional 576references are linked to numbers following the bug ID.</p> 577 578<h3 id="remote-code-execution-vulnerability-in-mediaserver"> 579Remote code execution vulnerability in Mediaserver</h3> 580<p>A remote code execution vulnerability in Mediaserver could enable an attacker 581using a specially crafted file to cause memory corruption during media file and 582data processing. This issue is rated as Critical due to the possibility of 583remote code execution within the context of the Mediaserver process. The 584Mediaserver process has access to audio and video streams, as well as access to 585privileges that third-party apps could not normally access.</p> 586<p>The affected functionality is provided as a core part of the operating system 587and there are multiple applications that allow it to be reached with remote 588content, most notably MMS and browser playback of media.</p> 589 590<table> 591 <col width="19%"> 592 <col width="19%"> 593 <col width="10%"> 594 <col width="16%"> 595 <col width="17%"> 596 <col width="17%"> 597 <tr> 598 <th>CVE</th> 599 <th>References</th> 600 <th>Severity</th> 601 <th>Updated Nexus devices</th> 602 <th>Updated AOSP versions</th> 603 <th>Date reported</th> 604 </tr> 605 <tr> 606 <td>CVE-2016-2506</td> 607 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/e248db02fbab2ee9162940bc19f087fd7d96cb9d"> 608 A-28175045</a></td> 609 <td>Critical</td> 610 <td><a href="#all_nexus">All Nexus</a></td> 611 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 612 <td>Apr 11, 2016</td> 613 </tr> 614 <tr> 615 <td>CVE-2016-2505</td> 616 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/4f236c532039a61f0cf681d2e3c6e022911bbb5c"> 617 A-28333006</a></td> 618 <td>Critical</td> 619 <td><a href="#all_nexus">All Nexus</a></td> 620 <td>6.0, 6.0.1</td> 621 <td>Apr 21, 2016</td> 622 </tr> 623 <tr> 624 <td>CVE-2016-2507</td> 625 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/60547808ca4e9cfac50028c00c58a6ceb2319301"> 626 A-28532266</a></td> 627 <td>Critical</td> 628 <td><a href="#all_nexus">All Nexus</a></td> 629 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 630 <td>May 2, 2016</td> 631 </tr> 632 <tr> 633 <td>CVE-2016-2508</td> 634 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f81038006b4c59a5a148dcad887371206033c28f"> 635 A-28799341</a> 636 [<a href="https://android.googlesource.com/platform/frameworks/av/+/d112f7d0c1dbaf0368365885becb11ca8d3f13a4">2</a>] 637 </td> 638 <td>Critical</td> 639 <td><a href="#all_nexus">All Nexus</a></td> 640 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 641 <td>May 16, 2016</td> 642 </tr> 643 <tr> 644 <td>CVE-2016-3741</td> 645 <td><a href="https://android.googlesource.com/platform/external/libavc/+/e629194c62a9a129ce378e08cb1059a8a53f1795"> 646 A-28165661</a> 647 [<a href="https://android.googlesource.com/platform/external/libavc/+/cc676ebd95247646e67907ccab150fb77a847335">2</a>] 648 </td> 649 <td>Critical</td> 650 <td><a href="#all_nexus">All Nexus</a></td> 651 <td>6.0, 6.0.1</td> 652 <td>Google internal</td> 653 </tr> 654 <tr> 655 <td>CVE-2016-3742</td> 656 <td><a href="https://android.googlesource.com/platform/external/libavc/+/a583270e1c96d307469c83dc42bd3c5f1b9ef63f"> 657 A-28165659</a> 658 </td> 659 <td>Critical</td> 660 <td><a href="#all_nexus">All Nexus</a></td> 661 <td>6.0, 6.0.1</td> 662 <td>Google internal</td> 663 </tr> 664 <tr> 665 <td>CVE-2016-3743</td> 666 <td><a href="https://android.googlesource.com/platform/external/libavc/+/ecf6c7ce6d5a22d52160698aab44fc234c63291a"> 667 A-27907656</a> 668 </td> 669 <td>Critical</td> 670 <td><a href="#all_nexus">All Nexus</a></td> 671 <td>6.0, 6.0.1</td> 672 <td>Google internal</td> 673 </tr> 674</table> 675 676 677<h3 id="remote-code-execution-vulnerability-in-openssl-&-boringssl"> 678Remote code execution vulnerability in OpenSSL & BoringSSL</h3> 679<p>A remote code execution vulnerability in OpenSSL and BoringSSL could enable an 680attacker using a specially crafted file to cause memory corruption during file 681and data processing. This issue is rated as Critical due to the possibility of 682remote code execution within the context of an affected process.</p> 683 684<table> 685 <col width="19%"> 686 <col width="16%"> 687 <col width="10%"> 688 <col width="19%"> 689 <col width="18%"> 690 <col width="16%"> 691 <tr> 692 <th>CVE</th> 693 <th>References</th> 694 <th>Severity</th> 695 <th>Updated Nexus devices</th> 696 <th>Updated AOSP versions</th> 697 <th>Date reported</th> 698 </tr> 699 <tr> 700 <td>CVE-2016-2108</td> 701 <td><a href="https://android.googlesource.com/platform/external/boringssl/+/74750e1fb24149043a533497f79c577b704d6e30"> 702 A-28175332</a> 703 </td> 704 <td>Critical</td> 705 <td><a href="#all_nexus">All Nexus</a></td> 706 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 707 <td>May 3, 2016</td> 708 </tr> 709</table> 710 711<h3 id="remote-code-execution-vulnerability-in-bluetooth"> 712Remote code execution vulnerability in Bluetooth</h3> 713<p>A remote code execution vulnerability in Bluetooth could allow a proximal 714attacker to execute arbitrary code during the pairing process. This issue is 715rated as High due to the possibility of remote code execution during the 716initialization of a Bluetooth device.</p> 717 718<table> 719 <col width="19%"> 720 <col width="16%"> 721 <col width="10%"> 722 <col width="19%"> 723 <col width="18%"> 724 <col width="16%"> 725 <tr> 726 <th>CVE</th> 727 <th>References</th> 728 <th>Severity</th> 729 <th>Updated Nexus devices</th> 730 <th>Updated AOSP versions</th> 731 <th>Date reported</th> 732 </tr> 733 <tr> 734 <td>CVE-2016-3744</td> 735 <td><a href="https://android.googlesource.com/platform/system/bt/+/514139f4b40cbb035bb92f3e24d5a389d75db9e6"> 736 A-27930580</a></td> 737 <td>High</td> 738 <td><a href="#all_nexus">All Nexus</a></td> 739 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 740 <td>Mar 30, 2016</td> 741 </tr> 742</table> 743 744<h3 id="elevation-of-privilege-vulnerability-in-libpng"> 745Elevation of privilege vulnerability in libpng</h3> 746<p>An elevation of privilege vulnerability in libpng could enable a local malicious 747application to execute arbitrary code within the context of an elevated system 748application. This issue is rated as High because it could be used to gain local 749access to elevated capabilities, such as 750<a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> 751or <a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 752permissions privileges, which are not accessible to a third-party application.</p> 753 754<table> 755 <col width="19%"> 756 <col width="16%"> 757 <col width="10%"> 758 <col width="19%"> 759 <col width="18%"> 760 <col width="16%"> 761 <tr> 762 <th>CVE</th> 763 <th>References</th> 764 <th>Severity</th> 765 <th>Updated Nexus devices</th> 766 <th>Updated AOSP versions</th> 767 <th>Date reported</th> 768 </tr> 769 <tr> 770 <td>CVE-2016-3751</td> 771 <td><a href="https://android.googlesource.com/platform/external/libpng/+/9d4853418ab2f754c2b63e091c29c5529b8b86ca"> 772 A-23265085</a> 773 </td> 774 <td>High</td> 775 <td><a href="#all_nexus">All Nexus</a></td> 776 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 777 <td>Dec 3, 2015</td> 778 </tr> 779</table> 780 781<h3 id="elevation-of-privilege-vulnerability-in-mediaserver"> 782Elevation of privilege vulnerability in Mediaserver</h3> 783<p>An elevation of privilege vulnerability in Mediaserver could enable a local 784malicious application to execute arbitrary code within the context of an 785elevated system application. This issue is rated as High because it could be 786used to gain local access to elevated capabilities, such as 787<a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> 788or <a href="https://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 789permissions privileges, which are not accessible to a third-party application.</p> 790 791<table> 792 <col width="19%"> 793 <col width="16%"> 794 <col width="10%"> 795 <col width="19%"> 796 <col width="18%"> 797 <col width="16%"> 798 <tr> 799 <th>CVE</th> 800 <th>References</th> 801 <th>Severity</th> 802 <th>Updated Nexus devices</th> 803 <th>Updated AOSP versions</th> 804 <th>Date reported</th> 805 </tr> 806 <tr> 807 <td>CVE-2016-3745</td> 808 <td><a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/073a80800f341325932c66818ce4302b312909a4"> 809 A-28173666</a> 810 </td> 811 <td>High</td> 812 <td><a href="#all_nexus">All Nexus</a></td> 813 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 814 <td>Apr 10, 2016</td> 815 </tr> 816 <tr> 817 <td>CVE-2016-3746</td> 818 <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/5b82f4f90c3d531313714df4b936f92fb0ff15cf"> 819 A-27890802</a> 820 </td> 821 <td>High</td> 822 <td><a href="#all_nexus">All Nexus</a></td> 823 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 824 <td>Mar 27, 2016</td> 825 </tr> 826 <tr> 827 <td>CVE-2016-3747</td> 828 <td><a href="https://android.googlesource.com/platform/hardware/qcom/media/+/4ed06d14080d8667d5be14eed200e378cba78345"> 829 A-27903498</a> 830 </td> 831 <td>High</td> 832 <td><a href="#all_nexus">All Nexus</a></td> 833 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 834 <td>Mar 28, 2016</td> 835 </tr> 836</table> 837 838<h3 id="elevation-of-privilege-vulnerability-in-sockets"> 839Elevation of privilege vulnerability in sockets</h3> 840<p>An elevation of privilege vulnerability in sockets could enable a local 841malicious application to access system calls outside of its permissions level. 842This issue is rated as High because it could permit a bypass of security 843measures in place to increase the difficulty of attackers exploiting the 844platform.</p> 845 846<table> 847 <col width="19%"> 848 <col width="16%"> 849 <col width="10%"> 850 <col width="19%"> 851 <col width="18%"> 852 <col width="16%"> 853 <tr> 854 <th>CVE</th> 855 <th>References</th> 856 <th>Severity</th> 857 <th>Updated Nexus devices</th> 858 <th>Updated AOSP versions</th> 859 <th>Date reported</th> 860 </tr> 861 <tr> 862 <td>CVE-2016-3748</td> 863 <td><a href="https://android.googlesource.com/platform/external/sepolicy/+/556bb0f55324e8839d7b735a0de9bc31028e839e"> 864 A-28171804</a> 865 </td> 866 <td>High</td> 867 <td><a href="#all_nexus">All Nexus</a></td> 868 <td>6.0, 6.0.1</td> 869 <td>Apr 13, 2016</td> 870 </tr> 871</table> 872 873<h3 id="elevation-of-privilege-vulnerability-in-locksettingsservice"> 874Elevation of privilege vulnerability in LockSettingsService</h3> 875<p>An elevation of privilege vulnerability in the LockSettingsService could enable 876a malicious application to reset the screen lock password without authorization 877from the user. This issue is rated as High because it is a local bypass of user 878interaction requirements for any developer or security settings modifications.</p> 879 880<table> 881 <col width="19%"> 882 <col width="16%"> 883 <col width="10%"> 884 <col width="19%"> 885 <col width="17%"> 886 <col width="17%"> 887 <tr> 888 <th>CVE</th> 889 <th>References</th> 890 <th>Severity</th> 891 <th>Updated Nexus devices</th> 892 <th>Updated AOSP versions</th> 893 <th>Date reported</th> 894 </tr> 895 <tr> 896 <td>CVE-2016-3749</td> 897 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e83f0f6a5a6f35323f5367f99c8e287c440f33f5"> 898 A-28163930</a> 899 </td> 900 <td>High</td> 901 <td><a href="#all_nexus">All Nexus</a></td> 902 <td>6.0, 6.0.1</td> 903 <td>Google internal</td> 904 </tr> 905</table> 906 907<h3 id="elevation-of-privilege-vulnerability-in-framework-apis"> 908Elevation of privilege vulnerability in Framework APIs</h3> 909<p>An elevation of privilege vulnerability in the Parcels Framework APIs could 910enable a local malicious application to bypass operating system protections that 911isolate application data from other applications. This issue is rated as High 912because it could be used to gain access to data that the application does not 913have access to.</p> 914 915<table> 916 <col width="19%"> 917 <col width="16%"> 918 <col width="10%"> 919 <col width="19%"> 920 <col width="17%"> 921 <col width="17%"> 922 <tr> 923 <th>CVE</th> 924 <th>References</th> 925 <th>Severity</th> 926 <th>Updated Nexus devices</th> 927 <th>Updated AOSP versions</th> 928 <th>Date reported</th> 929 </tr> 930 <tr> 931 <td>CVE-2016-3750</td> 932 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/54cb02ad733fb71b1bdf78590428817fb780aff8"> 933 A-28395952</a> 934 </td> 935 <td>High</td> 936 <td><a href="#all_nexus">All Nexus</a></td> 937 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 938 <td>Dec 16, 2015</td> 939 </tr> 940</table> 941 942<h3 id="elevation-of-privilege-vulnerability-in-choosertarget-service"> 943Elevation of privilege vulnerability in ChooserTarget service</h3> 944<p>An elevation of privilege vulnerability in the ChooserTarget service could 945enable a local malicious application to execute code in the context of another 946application. This issue is rated High because it could be used to access 947Activities belonging to another application without permission.</p> 948 949<table> 950 <col width="19%"> 951 <col width="16%"> 952 <col width="10%"> 953 <col width="19%"> 954 <col width="17%"> 955 <col width="17%"> 956 <tr> 957 <th>CVE</th> 958 <th>References</th> 959 <th>Severity</th> 960 <th>Updated Nexus devices</th> 961 <th>Updated AOSP versions</th> 962 <th>Date reported</th> 963 </tr> 964 <tr> 965 <td>CVE-2016-3752</td> 966 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/ddbf2db5b946be8fdc45c7b0327bf560b2a06988"> 967 A-28384423</a> 968 </td> 969 <td>High</td> 970 <td><a href="#all_nexus">All Nexus</a></td> 971 <td>6.0, 6.0.1</td> 972 <td>Google internal</td> 973 </tr> 974</table> 975 976<h3 id="information-disclosure-vulnerability-in-mediaserver"> 977Information disclosure vulnerability in Mediaserver</h3> 978<p>An information disclosure vulnerability in Mediaserver could enable a remote 979attacker to access protected data normally only accessible to locally installed 980apps that request permission. This issue is rated as High because it could be 981used to access data without permission.</p> 982 983<table> 984 <col width="19%"> 985 <col width="16%"> 986 <col width="10%"> 987 <col width="19%"> 988 <col width="18%"> 989 <col width="16%"> 990 <tr> 991 <th>CVE</th> 992 <th>References</th> 993 <th>Severity</th> 994 <th>Updated Nexus devices</th> 995 <th>Updated AOSP versions</th> 996 <th>Date reported</th> 997 </tr> 998 <tr> 999 <td>CVE-2016-3753</td> 1000 <td>A-27210135</td> 1001 <td>High</td> 1002 <td>None*</td> 1003 <td>4.4.4</td> 1004 <td>Feb 15, 2016</td> 1005 </tr> 1006</table> 1007<p>* Supported Nexus devices that have installed all available updates are not 1008affected by this vulnerability.</p> 1009 1010<h3 id="information-disclosure-vulnerability-in-openssl"> 1011Information disclosure vulnerability in OpenSSL</h3> 1012<p>An information disclosure vulnerability in OpenSSL could enable a remote 1013attacker to access protected data normally only accessible to locally installed 1014apps that request permission. This issue is rated as High because it could be 1015used to access data without permission.</p> 1016 1017<table> 1018 <col width="19%"> 1019 <col width="16%"> 1020 <col width="10%"> 1021 <col width="19%"> 1022 <col width="18%"> 1023 <col width="16%"> 1024 <tr> 1025 <th>CVE</th> 1026 <th>References</th> 1027 <th>Severity</th> 1028 <th>Updated Nexus devices</th> 1029 <th>Updated AOSP versions</th> 1030 <th>Date reported</th> 1031 </tr> 1032 <tr> 1033 <td>CVE-2016-2107</td> 1034 <td>A-28550804</td> 1035 <td>High</td> 1036 <td>None*</td> 1037 <td>4.4.4, 5.0.2, 5.1.1</td> 1038 <td>April 13, 2016</td> 1039 </tr> 1040</table> 1041<p>* Supported Nexus devices that have installed all available updates are not 1042affected by this vulnerability.</p> 1043 1044<h3 id="denial-of-service-vulnerability-in-mediaserver"> 1045Denial of service vulnerability in Mediaserver</h3> 1046<p>A denial of service vulnerability in Mediaserver could enable an attacker to use 1047a specially crafted file to cause a device hang or reboot. This issue is rated 1048as High due to the possibility of a temporary remote denial of service.</p> 1049 1050<table> 1051 <col width="19%"> 1052 <col width="19%"> 1053 <col width="10%"> 1054 <col width="16%"> 1055 <col width="17%"> 1056 <col width="17%"> 1057 <tr> 1058 <th>CVE</th> 1059 <th>References</th> 1060 <th>Severity</th> 1061 <th>Updated Nexus devices</th> 1062 <th>Updated AOSP versions</th> 1063 <th>Date reported</th> 1064 </tr> 1065 <tr> 1066 <td>CVE-2016-3754</td> 1067 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6fdee2a83432b3b150d6a34f231c4e2f7353c01e"> 1068 A-28615448</a> 1069 [<a href="https://android.googlesource.com/platform/frameworks/av/+/e7142a0703bc93f75e213e96ebc19000022afed9">2</a>] 1070 </td> 1071 <td>High</td> 1072 <td><a href="#all_nexus">All Nexus</a></td> 1073 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1074 <td>May 5, 2016</td> 1075 </tr> 1076 <tr> 1077 <td>CVE-2016-3755</td> 1078 <td><a href="https://android.googlesource.com/platform/external/libavc/+/d4841f1161bdb5e13cb19e81af42437a634dd6ef"> 1079 A-28470138</a> 1080 </td> 1081 <td>High</td> 1082 <td><a href="#all_nexus">All Nexus</a></td> 1083 <td>6.0, 6.0.1</td> 1084 <td>Apr 29, 2016</td> 1085 </tr> 1086 <tr> 1087 <td>CVE-2016-3756</td> 1088 <td><a href="https://android.googlesource.com/platform/external/tremolo/+/659030a2e80c38fb8da0a4eb68695349eec6778b"> 1089 A-28556125</a> 1090 </td> 1091 <td>High</td> 1092 <td><a href="#all_nexus">All Nexus</a></td> 1093 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1094 <td>Google internal</td> 1095 </tr> 1096</table> 1097 1098<h3 id="denial-of-service-vulnerability-in-libc"> 1099Denial of service vulnerability in libc</h3> 1100<p>A denial of service vulnerability in libc could enable an attacker to use a 1101specially crafted file to cause a device hang or reboot. This issue is rated as 1102High due to the possibility of remote denial of service.</p> 1103 1104<table> 1105 <col width="19%"> 1106 <col width="16%"> 1107 <col width="10%"> 1108 <col width="19%"> 1109 <col width="17%"> 1110 <col width="17%"> 1111 <tr> 1112 <th>CVE</th> 1113 <th>References</th> 1114 <th>Severity</th> 1115 <th>Updated Nexus devices</th> 1116 <th>Updated AOSP versions</th> 1117 <th>Date reported</th> 1118 </tr> 1119 <tr> 1120 <td>CVE-2016-3818</td> 1121 <td>A-28740702</td> 1122 <td>High</td> 1123 <td>None*</td> 1124 <td>4.4.4</td> 1125 <td>Google internal</td> 1126 </tr> 1127</table> 1128<p>* Supported Nexus devices that have installed all available updates are not 1129affected by this vulnerability.</p> 1130 1131<h3 id="elevation-of-privilege-vulnerability-in-lsof"> 1132Elevation of privilege vulnerability in lsof</h3> 1133<p>An elevation of privilege vulnerability in lsof could enable a local malicious 1134application to execute arbitrary code that could lead to a permanent device 1135compromise. This issue is rated as Moderate because it requires uncommon manual 1136steps.</p> 1137 1138<table> 1139 <col width="19%"> 1140 <col width="16%"> 1141 <col width="10%"> 1142 <col width="19%"> 1143 <col width="18%"> 1144 <col width="16%"> 1145 <tr> 1146 <th>CVE</th> 1147 <th>References</th> 1148 <th>Severity</th> 1149 <th>Updated Nexus devices</th> 1150 <th>Updated AOSP versions</th> 1151 <th>Date reported</th> 1152 </tr> 1153 <tr> 1154 <td>CVE-2016-3757</td> 1155 <td><a href="https://android.googlesource.com/platform/system/core/+/ae18eb014609948a40e22192b87b10efc680daa7"> 1156 A-28175237</a> 1157 </td> 1158 <td>Moderate</td> 1159 <td><a href="#all_nexus">All Nexus</a></td> 1160 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1161 <td>Apr 11, 2016</td> 1162 </tr> 1163</table> 1164 1165<h3 id="elevation-of-privilege-vulnerability-in-dexclassloader"> 1166Elevation of privilege vulnerability in DexClassLoader</h3> 1167<p>An elevation of privilege vulnerability in the DexClassLoader could enable a 1168local malicious application to execute arbitrary code within the context of a 1169privileged process. This issue is rated as Moderate because it requires uncommon 1170manual steps.</p> 1171 1172<table> 1173 <col width="19%"> 1174 <col width="16%"> 1175 <col width="10%"> 1176 <col width="19%"> 1177 <col width="17%"> 1178 <col width="17%"> 1179 <tr> 1180 <th>CVE</th> 1181 <th>References</th> 1182 <th>Severity</th> 1183 <th>Updated Nexus devices</th> 1184 <th>Updated AOSP versions</th> 1185 <th>Date reported</th> 1186 </tr> 1187 <tr> 1188 <td>CVE-2016-3758</td> 1189 <td><a href="https://android.googlesource.com/platform/dalvik/+/338aeaf28e9981c15d0673b18487dba61eb5447c"> 1190 A-27840771</a> 1191 </td> 1192 <td>Moderate</td> 1193 <td><a href="#all_nexus">All Nexus</a></td> 1194 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1195 <td>Google internal</td> 1196 </tr> 1197</table> 1198 1199<h3 id="elevation-of-privilege-vulnerability-in-framework-apis-2"> 1200Elevation of privilege vulnerability in Framework APIs</h3> 1201<p>An elevation of privilege vulnerability in the Framework APIs could enable a 1202local malicious application to request backup permissions and intercept all 1203backup data. This issue is rated as Moderate because it requires specific 1204permissions to bypass operating system protections that isolate application data 1205from other applications.</p> 1206 1207<table> 1208 <col width="19%"> 1209 <col width="16%"> 1210 <col width="10%"> 1211 <col width="19%"> 1212 <col width="17%"> 1213 <col width="17%"> 1214 <tr> 1215 <th>CVE</th> 1216 <th>References</th> 1217 <th>Severity</th> 1218 <th>Updated Nexus devices</th> 1219 <th>Updated AOSP versions</th> 1220 <th>Date reported</th> 1221 </tr> 1222 <tr> 1223 <td>CVE-2016-3759</td> 1224 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/9b8c6d2df35455ce9e67907edded1e4a2ecb9e28"> 1225 A-28406080</a> 1226 </td> 1227 <td>Moderate</td> 1228 <td><a href="#all_nexus">All Nexus</a></td> 1229 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 1230 <td>Google internal</td> 1231 </tr> 1232</table> 1233 1234<h3 id="elevation-of-privilege-vulnerability-in-bluetooth"> 1235Elevation of privilege vulnerability in Bluetooth</h3> 1236<p>An elevation of privilege vulnerability in the Bluetooth component could enable 1237a local attacker to add an authenticated Bluetooth device that persists for the 1238primary user. This issue is rated as Moderate because it could be used to gain 1239elevated capabilities without explicit user permission.</p> 1240 1241<table> 1242 <col width="19%"> 1243 <col width="16%"> 1244 <col width="10%"> 1245 <col width="19%"> 1246 <col width="18%"> 1247 <col width="16%"> 1248 <tr> 1249 <th>CVE</th> 1250 <th>References</th> 1251 <th>Severity</th> 1252 <th>Updated Nexus devices</th> 1253 <th>Updated AOSP versions</th> 1254 <th>Date reported</th> 1255 </tr> 1256 <tr> 1257 <td>CVE-2016-3760</td> 1258 <td><a href="https://android.googlesource.com/platform/hardware/libhardware/+/8b3d5a64c3c8d010ad4517f652731f09107ae9c5">A-27410683</a> 1259[<a href="https://android.googlesource.com/platform/system/bt/+/37c88107679d36c419572732b4af6e18bb2f7dce">2</a>] 1260[<a href="https://android.googlesource.com/platform/packages/apps/Bluetooth/+/122feb9a0b04290f55183ff2f0384c6c53756bd8">3</a>] 1261 </td> 1262 <td>Moderate</td> 1263 <td><a href="#all_nexus">All Nexus</a></td> 1264 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 1265 <td>Feb 29, 2016</td> 1266 </tr> 1267</table> 1268 1269<h3 id="elevation-of-privilege-vulnerability-in-nfc"> 1270Elevation of privilege vulnerability in NFC</h3> 1271<p>An elevation of privilege vulnerability in NFC could enable a local malicious 1272background application to access information from a foreground application. This 1273issue is rated as Moderate because it could be used to gain elevated 1274capabilities without explicit user permission.</p> 1275 1276<table> 1277 <col width="19%"> 1278 <col width="16%"> 1279 <col width="10%"> 1280 <col width="19%"> 1281 <col width="18%"> 1282 <col width="16%"> 1283 <tr> 1284 <th>CVE</th> 1285 <th>References</th> 1286 <th>Severity</th> 1287 <th>Updated Nexus devices</th> 1288 <th>Updated AOSP versions</th> 1289 <th>Date reported</th> 1290 </tr> 1291 <tr> 1292 <td>CVE-2016-3761</td> 1293 <td><a href="https://android.googlesource.com/platform/packages/apps/Nfc/+/9ea802b5456a36f1115549b645b65c791eff3c2c"> 1294 A-28300969</a> 1295 </td> 1296 <td>Moderate</td> 1297 <td><a href="#all_nexus">All Nexus</a></td> 1298 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1299 <td>Apr 20, 2016</td> 1300 </tr> 1301</table> 1302 1303<h3 id="elevation-of-privilege-vulnerability-in-sockets-2"> 1304Elevation of privilege vulnerability in sockets</h3> 1305<p>An elevation of privilege vulnerability in sockets could enable a local 1306malicious application to gain access to certain uncommon socket types possibly 1307leading to arbitrary code execution within the context of the kernel. This issue 1308is rated as Moderate because it could permit a bypass of security measures in 1309place to increase the difficulty of attackers exploiting the platform.</p> 1310 1311<table> 1312 <col width="19%"> 1313 <col width="16%"> 1314 <col width="10%"> 1315 <col width="19%"> 1316 <col width="18%"> 1317 <col width="16%"> 1318 <tr> 1319 <th>CVE</th> 1320 <th>References</th> 1321 <th>Severity</th> 1322 <th>Updated Nexus devices</th> 1323 <th>Updated AOSP versions</th> 1324 <th>Date reported</th> 1325 </tr> 1326 <tr> 1327 <td>CVE-2016-3762</td> 1328 <td><a href="https://android.googlesource.com/platform/external/sepolicy/+/abf0663ed884af7bc880a05e9529e6671eb58f39"> 1329 A-28612709</a> 1330 </td> 1331 <td>Moderate</td> 1332 <td><a href="#all_nexus">All Nexus</a></td> 1333 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 1334 <td>Apr 21, 2016</td> 1335 </tr> 1336</table> 1337 1338<h3 id="information-disclosure-vulnerability-in-proxy-auto-config"> 1339Information disclosure vulnerability in Proxy Auto-Config</h3> 1340<p>An information disclosure vulnerability in the Proxy Auto-Config component could 1341allow an application to access sensitive information. This issue is rated 1342Moderate because it could be used to access data without permission.</p> 1343 1344<table> 1345 <col width="19%"> 1346 <col width="16%"> 1347 <col width="10%"> 1348 <col width="19%"> 1349 <col width="18%"> 1350 <col width="16%"> 1351 <tr> 1352 <th>CVE</th> 1353 <th>References</th> 1354 <th>Severity</th> 1355 <th>Updated Nexus devices</th> 1356 <th>Updated AOSP versions</th> 1357 <th>Date reported</th> 1358 </tr> 1359 <tr> 1360 <td>CVE-2016-3763</td> 1361 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/ec2fc50d202d975447211012997fe425496c849c"> 1362 A-27593919</a> 1363 </td> 1364 <td>Moderate</td> 1365 <td><a href="#all_nexus">All Nexus</a></td> 1366 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1367 <td>Mar 10, 2016</td> 1368 </tr> 1369</table> 1370 1371<h3 id="information-disclosure-vulnerability-in-mediaserver-2"> 1372Information disclosure vulnerability in Mediaserver</h3> 1373<p>An information disclosure vulnerability in Mediaserver could allow a local 1374malicious application to access sensitive information. This issue is rated as 1375Moderate because it could be used to access data without permission.</p> 1376 1377<table> 1378 <col width="19%"> 1379 <col width="16%"> 1380 <col width="10%"> 1381 <col width="19%"> 1382 <col width="18%"> 1383 <col width="16%"> 1384 <tr> 1385 <th>CVE</th> 1386 <th>References</th> 1387 <th>Severity</th> 1388 <th>Updated Nexus devices</th> 1389 <th>Updated AOSP versions</th> 1390 <th>Date reported</th> 1391 </tr> 1392 <tr> 1393 <td>CVE-2016-3764</td> 1394 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/daef4327fe0c75b0a90bb8627458feec7a301e1f"> 1395 A-28377502</a> 1396 </td> 1397 <td>Moderate</td> 1398 <td><a href="#all_nexus">All Nexus</a></td> 1399 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1400 <td>Apr 25, 2016</td> 1401 </tr> 1402 <tr> 1403 <td>CVE-2016-3765</td> 1404 <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/d1c775d1d8d2ed117d1e026719b7f9f089716597"> 1405 A-28168413</a> 1406 </td> 1407 <td>Moderate</td> 1408 <td><a href="#all_nexus">All Nexus</a></td> 1409 <td>6.0, 6.0.1</td> 1410 <td>Apr 8, 2016</td> 1411 </tr> 1412</table> 1413 1414<h3 id="denial-of-service-vulnerability-in-mediaserver-2"> 1415Denial of service vulnerability in Mediaserver</h3> 1416<p>A denial of service vulnerability in Mediaserver could enable an attacker to use 1417a specially crafted file to cause a device hang or reboot. This issue is rated 1418as Moderate due to the possibility of remote denial of service.</p> 1419 1420<table> 1421 <col width="19%"> 1422 <col width="16%"> 1423 <col width="10%"> 1424 <col width="19%"> 1425 <col width="18%"> 1426 <col width="16%"> 1427 <tr> 1428 <th>CVE</th> 1429 <th>References</th> 1430 <th>Severity</th> 1431 <th>Updated Nexus devices</th> 1432 <th>Updated AOSP versions</th> 1433 <th>Date reported</th> 1434 </tr> 1435 <tr> 1436 <td>CVE-2016-3766</td> 1437 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6fdee2a83432b3b150d6a34f231c4e2f7353c01e"> 1438 A-28471206</a> 1439 [<a href="https://android.googlesource.com/platform/frameworks/av/+/e7142a0703bc93f75e213e96ebc19000022afed9">2</a>] 1440 </td> 1441 <td>Moderate</td> 1442 <td><a href="#all_nexus">All Nexus</a></td> 1443 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 1444 <td>Apr 29, 2016</td> 1445 </tr> 1446</table> 1447 1448<h2 id="2016-07-05_details">2016-07-05 security patch level—Vulnerability details</h2> 1449<p>In the sections below, we provide details for each of the security 1450vulnerabilities listed in the <a href="2016-07-05_summary">2016-07-05 security patch level—Vulnerability 1451summary</a> above. There is a description of the issue, a severity rationale, and a 1452table with the CVE, associated references, severity, updated Nexus devices, 1453updated AOSP versions (where applicable), and date reported. When available, we 1454will link the public change that addressed the issue to the bug ID, like the 1455AOSP change list. When multiple changes relate to a single bug, additional 1456references are linked to numbers following the bug ID.</p> 1457 1458<h3 id="elevation-of-privilege-vulnerability-in-qualcomm-gpu-driver"> 1459Elevation of privilege vulnerability in Qualcomm GPU driver</h3> 1460<p>An elevation of privilege vulnerability in the Qualcomm GPU driver could enable 1461a local malicious application to execute arbitrary code within the context of 1462the kernel. This issue is rated as Critical due to the possibility of a local 1463permanent device compromise, which may require reflashing the operating system 1464to repair the device.</p> 1465 1466<table> 1467 <col width="19%"> 1468 <col width="16%"> 1469 <col width="10%"> 1470 <col width="27%"> 1471 <col width="16%"> 1472 <tr> 1473 <th>CVE</th> 1474 <th>References</th> 1475 <th>Severity</th> 1476 <th>Updated Nexus devices</th> 1477 <th>Date reported</th> 1478 </tr> 1479 <tr> 1480 <td>CVE-2016-2503</td> 1481 <td>A-28084795* 1482 QC-CR1006067</td> 1483 <td>Critical</td> 1484 <td>Nexus 5X, Nexus 6P</td> 1485 <td>Apr 5, 2016</td> 1486 </tr> 1487 <tr> 1488 <td>CVE-2016-2067</td> 1489 <td>A-28305757 1490 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.18/commit/?id=410cfa95f0a1cf58819cbfbd896f9aa45b004ac0"> 1491 QC-CR988993</a></td> 1492 <td>Critical</td> 1493 <td>Nexus 5X, Nexus 6, Nexus 6P</td> 1494 <td>Apr 20, 2016</td> 1495 </tr> 1496</table> 1497<p>* The patch for this issue is not publicly available. The update is contained in 1498the latest binary drivers for Nexus devices available from the 1499<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1500 1501<h3 id="elevation-of-privilege-vulnerability-in-mediatek-wi-fi-driver"> 1502Elevation of privilege vulnerability in MediaTek Wi-Fi driver</h3> 1503<p>An elevation of privilege vulnerability in the MediaTek Wi-Fi driver could 1504enable a local malicious application to execute arbitrary code within the 1505context of the kernel. This issue is rated as Critical due to the possibility of 1506a local permanent device compromise, which may require reflashing the operating 1507system to repair the device.</p> 1508 1509<table> 1510 <col width="19%"> 1511 <col width="20%"> 1512 <col width="10%"> 1513 <col width="23%"> 1514 <col width="16%"> 1515 <tr> 1516 <th>CVE</th> 1517 <th>References</th> 1518 <th>Severity</th> 1519 <th>Updated Nexus devices</th> 1520 <th>Date reported</th> 1521 </tr> 1522 <tr> 1523 <td>CVE-2016-3767</td> 1524 <td>A-28169363* 1525 <br>M-ALPS02689526</td> 1526 <td>Critical</td> 1527 <td>Android One</td> 1528 <td>Apr 6, 2016</td> 1529 </tr> 1530</table> 1531<p>* The patch for this issue is not publicly available. The update is contained in 1532the latest binary drivers for Nexus devices available from the 1533<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1534 1535<h3 1536id="elevation-of-privilege-vulnerability-in-qualcomm-performance-component"> 1537Elevation of privilege vulnerability in Qualcomm performance component</h3> 1538<p>An elevation of privilege vulnerability in the Qualcomm performance component 1539could enable a local malicious application to execute arbitrary code within the 1540context of the kernel. This issue is rated as Critical severity due to the 1541possibility of a local permanent device compromise, which may require reflashing 1542the operating system to repair the device.</p> 1543 1544<table> 1545 <col width="19%"> 1546 <col width="16%"> 1547 <col width="10%"> 1548 <col width="27%"> 1549 <col width="16%"> 1550 <tr> 1551 <th>CVE</th> 1552 <th>References</th> 1553 <th>Severity</th> 1554 <th>Updated Nexus devices</th> 1555 <th>Date reported</th> 1556 </tr> 1557 <tr> 1558 <td>CVE-2016-3768</td> 1559 <td>A-28172137* 1560 QC-CR1010644</td> 1561 <td>Critical</td> 1562 <td>Nexus 5, Nexus 6, Nexus 5X, Nexus 6P, Nexus 7 (2013)</td> 1563 <td>Apr 9, 2016</td> 1564 </tr> 1565</table> 1566<p>* The patch for this issue is not publicly available. The update is contained in 1567the latest binary drivers for Nexus devices available from the 1568<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1569 1570<h3 id="elevation-of-privilege-vulnerability-in-nvidia-video-driver"> 1571Elevation of privilege vulnerability in NVIDIA video driver</h3> 1572<p>An elevation of privilege vulnerability in the NVIDIA video driver could enable 1573a local malicious application to execute arbitrary code within the context of 1574the kernel. This issue is rated as Critical due to the possibility of a local 1575permanent device compromise, which may require reflashing the operating system 1576to repair the device.</p> 1577 1578<table> 1579 <col width="19%"> 1580 <col width="20%"> 1581 <col width="10%"> 1582 <col width="23%"> 1583 <col width="16%"> 1584 <tr> 1585 <th>CVE</th> 1586 <th>References</th> 1587 <th>Severity</th> 1588 <th>Updated Nexus devices</th> 1589 <th>Date reported</th> 1590 </tr> 1591 <tr> 1592 <td>CVE-2016-3769</td> 1593 <td>A-28376656*<br> 1594 N-CVE20163769</td> 1595 <td>Critical</td> 1596 <td>Nexus 9</td> 1597 <td>Apr 18, 2016</td> 1598 </tr> 1599</table> 1600<p>* The patch for this issue is not publicly available. The update is contained in 1601the latest binary drivers for Nexus devices available from the 1602<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1603 1604<h3 id="elevation-of-privilege-vulnerability-in-mediatek-drivers-device-specific"> 1605Elevation of privilege vulnerability in MediaTek drivers (Device specific)</h3> 1606<p>An elevation of privilege vulnerability in multiple MediaTek drivers could 1607enable a local malicious application to execute arbitrary code within the 1608context of the kernel. This issue is rated as Critical due to the possibility of 1609a local permanent device compromise, which may require reflashing the operating 1610system to repair the device.</p> 1611 1612<table> 1613 <col width="19%"> 1614 <col width="20%"> 1615 <col width="10%"> 1616 <col width="23%"> 1617 <col width="16%"> 1618 <tr> 1619 <th>CVE</th> 1620 <th>References</th> 1621 <th>Severity</th> 1622 <th>Updated Nexus devices</th> 1623 <th>Date reported</th> 1624 </tr> 1625 <tr> 1626 <td>CVE-2016-3770</td> 1627 <td>A-28346752*<br> 1628 M-ALPS02703102</td> 1629 <td>Critical</td> 1630 <td>Android One</td> 1631 <td>Apr 22, 2016</td> 1632 </tr> 1633 <tr> 1634 <td>CVE-2016-3771</td> 1635 <td>A-29007611*<br> 1636 M-ALPS02703102</td> 1637 <td>Critical</td> 1638 <td>Android One</td> 1639 <td>Apr 22, 2016</td> 1640 </tr> 1641 <tr> 1642 <td>CVE-2016-3772</td> 1643 <td>A-29008188*<br> 1644 M-ALPS02703102</td> 1645 <td>Critical</td> 1646 <td>Android One</td> 1647 <td>Apr 22, 2016</td> 1648 </tr> 1649 <tr> 1650 <td>CVE-2016-3773</td> 1651 <td>A-29008363*<br> 1652 M-ALPS02703102</td> 1653 <td>Critical</td> 1654 <td>Android One</td> 1655 <td>Apr 22, 2016</td> 1656 </tr> 1657 <tr> 1658 <td>CVE-2016-3774</td> 1659 <td>A-29008609*<br> 1660 M-ALPS02703102</td> 1661 <td>Critical</td> 1662 <td>Android One</td> 1663 <td>Apr 22, 2016</td> 1664 </tr> 1665</table> 1666<p>* The patch for this issue is not publicly available. The update is contained in 1667the latest binary drivers for Nexus devices available from the 1668<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1669 1670<h3 id="elevation-of-privilege-vulnerability-in-kernel-file-system"> 1671Elevation of privilege vulnerability in kernel file system</h3> 1672<p>An elevation of privilege vulnerability in the kernel file system could enable a 1673local malicious application to execute arbitrary code within the context of the 1674kernel. This issue is rated as Critical due to the possibility of a local 1675permanent device compromise, which may require reflashing the operating system 1676to repair the device.</p> 1677 1678<table> 1679 <col width="19%"> 1680 <col width="16%"> 1681 <col width="10%"> 1682 <col width="27%"> 1683 <col width="16%"> 1684 <tr> 1685 <th>CVE</th> 1686 <th>References</th> 1687 <th>Severity</th> 1688 <th>Updated Nexus devices</th> 1689 <th>Date reported</th> 1690 </tr> 1691 <tr> 1692 <td>CVE-2016-3775</td> 1693 <td>A-28588279*</td> 1694 <td>Critical</td> 1695 <td>Nexus 5X, Nexus 6, Nexus 6P and Nexus Player, Pixel C</td> 1696 <td>May 4, 2016</td> 1697 </tr> 1698</table> 1699<p>* The patch for this issue is not publicly available. The update is contained in 1700the latest binary drivers for Nexus devices available from the 1701<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1702 1703<h3 id="elevation-of-privilege-vulnerability-in-usb-driver"> 1704Elevation of privilege vulnerability in USB driver</h3> 1705<p>An elevation of privilege vulnerability in the USB driver could enable a local 1706malicious application to execute arbitrary code within the context of the 1707kernel. This issue is rated as Critical severity due to the possibility of a 1708local permanent device compromise, which may require reflashing the operating 1709system to repair the device.</p> 1710 1711<table> 1712 <col width="19%"> 1713 <col width="16%"> 1714 <col width="10%"> 1715 <col width="27%"> 1716 <col width="16%"> 1717 <tr> 1718 <th>CVE</th> 1719 <th>References</th> 1720 <th>Severity</th> 1721 <th>Updated Nexus devices</th> 1722 <th>Date reported</th> 1723 </tr> 1724 <tr> 1725 <td>CVE-2015-8816</td> 1726 <td>A-28712303*</td> 1727 <td>Critical</td> 1728 <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, Pixel C</td> 1729 <td>May 4, 2016</td> 1730 </tr> 1731</table> 1732<p>* The patch for this issue is not publicly available. The update is contained in 1733the latest binary drivers for Nexus devices available from the 1734<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 1735 1736<h3 id="elevation-of-privilege-vulnerability-in-qualcomm-components"> 1737Elevation of privilege vulnerability in Qualcomm components</h3> 1738<p>The table below contains security vulnerabilities affecting Qualcomm components 1739including the bootloader, camera driver, character driver, networking, sound 1740driver and video driver.</p> 1741<p>The most severe of these issues is rated as Critical due to possibility of 1742arbitrary code execution leading to the possibility of a local permanent device 1743compromise, which may require reflashing the operating system to repair the 1744device.</p> 1745 1746<table> 1747 <col width="19%"> 1748 <col width="20%"> 1749 <col width="10%"> 1750 <col width="23%"> 1751 <col width="16%"> 1752 <tr> 1753 <th>CVE</th> 1754 <th>References</th> 1755 <th>Severity*</th> 1756 <th>Updated Nexus devices</th> 1757 <th>Date reported</th> 1758 </tr> 1759 <tr> 1760 <td>CVE-2014-9795</td> 1761 <td>A-28820720<br> 1762 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=ce2a0ea1f14298abc83729f3a095adab43342342">QC-CR681957</a> 1763 [<a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=fc3b31f81a1c128c2bcc745564a075022cd72a2e">2</a>] 1764 </td> 1765 <td>Critical</td> 1766 <td>Nexus 5</td> 1767 <td>Aug 8, 2014</td> 1768 </tr> 1769 <tr> 1770 <td>CVE-2014-9794</td> 1771 <td>A-28821172<br> 1772 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=f39085971c8c4e36cadbf8a72aabe6c7ff538ffa">QC-CR646385</a> 1773 </td> 1774 <td>Critical</td> 1775 <td>Nexus 7 (2013)</td> 1776 <td>Aug 8, 2014</td> 1777 </tr> 1778 <tr> 1779 <td>CVE-2015-8892</td> 1780 <td>A-28822807<br> 1781 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=fae606b9dd92c021e2419369975264f24f60db23">QC-CR902998</a> 1782 </td> 1783 <td>Critical</td> 1784 <td>Nexus 5X, Nexus 6P</td> 1785 <td>Dec 30, 2015</td> 1786 </tr> 1787 <tr> 1788 <td>CVE-2014-9781</td> 1789 <td>A-28410333<br> 1790 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/video/?h=LA.BF.1.1.3_rb1.12&id=a2b5237ad265ec634489c8b296d870827b2a1b13&context=20&ignorews=0&dt=0">QC-CR556471</a> 1791 </td> 1792 <td>High</td> 1793 <td>Nexus 7 (2013)</td> 1794 <td>Feb 6, 2014</td> 1795 </tr> 1796 <tr> 1797 <td>CVE-2014-9786</td> 1798 <td>A-28557260<br> 1799 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/patch/?id=2fb303d9c6ca080f253b10ed9384293ca69ad32b">QC-CR545979</a></td> 1800 <td>High</td> 1801 <td>Nexus 5, Nexus 7 (2013)</td> 1802 <td>Mar 13, 2014</td> 1803 </tr> 1804 <tr> 1805 <td>CVE-2014-9788</td> 1806 <td>A-28573112<br> 1807 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=73bfc22aa70cc0b7e6709381125a0a42aa72a4f2">QC-CR548872</a></td> 1808 <td>High</td> 1809 <td>Nexus 5</td> 1810 <td>Mar 13, 2014</td> 1811 </tr> 1812 <tr> 1813 <td>CVE-2014-9779</td> 1814 <td>A-28598347<br> 1815 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c?h=LA.BF.1.1.3_rb1.12&id=0b5f49b360afdebf8ef55df1e48ec141b3629621">QC-CR548679</a></td> 1816 <td>High</td> 1817 <td>Nexus 5</td> 1818 <td>Mar 13, 2014</td> 1819 </tr> 1820 <tr> 1821 <td>CVE-2014-9780</td> 1822 <td>A-28602014<br> 1823 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=b5bb13e1f738f90df11e0c17f843c73999a84a54">QC-CR542222</a></td> 1824 <td>High</td> 1825 <td>Nexus 5, Nexus 5X, Nexus 6P</td> 1826 <td>Mar 13, 2014</td> 1827 </tr> 1828 <tr> 1829 <td>CVE-2014-9789</td> 1830 <td>A-28749392<br> 1831 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=5720ed5c3a786e3ba0a2428ac45da5d7ec996b4e">QC-CR556425</a></td> 1832 <td>High</td> 1833 <td>Nexus 5</td> 1834 <td>Mar 13, 2014</td> 1835 </tr> 1836 <tr> 1837 <td>CVE-2014-9793</td> 1838 <td>A-28821253<br> 1839 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=0dcccecc4a6a9a9b3314cb87b2be8b52df1b7a81">QC-CR580567</a></td> 1840 <td>High</td> 1841 <td>Nexus 7 (2013)</td> 1842 <td>Mar 13, 2014</td> 1843 </tr> 1844 <tr> 1845 <td>CVE-2014-9782</td> 1846 <td>A-28431531<br> 1847 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/patch/?id=2e57a46ab2ba7299d99d9cdc1382bd1e612963fb">QC-CR511349</a></td> 1848 <td>High</td> 1849 <td>Nexus 5, Nexus 7 (2013)</td> 1850 <td>Mar 31, 2014</td> 1851 </tr> 1852 <tr> 1853 <td>CVE-2014-9783</td> 1854 <td>A-28441831<br> 1855 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=2b1050b49a9a5f7bb57006648d145e001a3eaa8b">QC-CR511382</a> 1856 [<a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=a7502f4f801bb95bff73617309835bb7a016cde5">2</a>]</td> 1857 <td>High</td> 1858 <td>Nexus 7 (2013)</td> 1859 <td>Mar 31, 2014</td> 1860 </tr> 1861 <tr> 1862 <td>CVE-2014-9785</td> 1863 <td>A-28469042<br> 1864 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=b4338420db61f029ca6713a89c41b3a5852b20ce">QC-CR545747</a></td> 1865 <td>High</td> 1866 <td>Nexus 7 (2013)</td> 1867 <td>Mar 31, 2014</td> 1868 </tr> 1869 <tr> 1870 <td>CVE-2014-9787</td> 1871 <td>A-28571496<br> 1872 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=528400ae4cba715f6c9ff4a2657dafd913f30b8b">QC-CR545764</a></td> 1873 <td>High</td> 1874 <td>Nexus 7 (2013)</td> 1875 <td>Mar 31, 2014</td> 1876 </tr> 1877 <tr> 1878 <td>CVE-2014-9784</td> 1879 <td>A-28442449<br> 1880 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=36503d639cedcc73880974ed92132247576e72ba">QC-CR585147</a></td> 1881 <td>High</td> 1882 <td>Nexus 5, Nexus 7 (2013)</td> 1883 <td>Apr 30, 2014</td> 1884 </tr> 1885 <tr> 1886 <td>CVE-2014-9777</td> 1887 <td>A-28598501<br> 1888 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=17bfaf64ad503d2e6607d2d3e0956f25bf07eb43">QC-CR563654</a></td> 1889 <td>High</td> 1890 <td>Nexus 5, Nexus 7 (2013)</td> 1891 <td>Apr 30, 2014</td> 1892 </tr> 1893 <tr> 1894 <td>CVE-2014-9778</td> 1895 <td>A-28598515<br> 1896 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=af85054aa6a1bcd38be2354921f2f80aef1440e5">QC-CR563694</a></td> 1897 <td>High</td> 1898 <td>Nexus 5, Nexus 7 (2013)</td> 1899 <td>Apr 30, 2014</td> 1900 </tr> 1901 <tr> 1902 <td>CVE-2014-9790</td> 1903 <td>A-28769136<br> 1904 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=6ed921bda8cbb505e8654dfc1095185b0bccc38e">QC-CR545716</a> 1905 [<a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit?h=LA.BF.1.1.3_rb1.12&id=9bc30c0d1832f7dd5b6fa10d5e48a29025176569">2</a>]</td> 1906 <td>High</td> 1907 <td>Nexus 5, Nexus 7 (2013)</td> 1908 <td>Apr 30, 2014</td> 1909 </tr> 1910 <tr> 1911 <td>CVE-2014-9792</td> 1912 <td>A-28769399<br> 1913 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=a3e3dd9fc0a2699ae053ffd3efb52cdc73ad94cd">QC-CR550606</a></td> 1914 <td>High</td> 1915 <td>Nexus 5</td> 1916 <td>Apr 30, 2014</td> 1917 </tr> 1918 <tr> 1919 <td>CVE-2014-9797</td> 1920 <td>A-28821090<br> 1921 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=3312737f3e1ec84dd67ee0622c7dd031083f71a4">QC-CR674071</a></td> 1922 <td>High</td> 1923 <td>Nexus 5</td> 1924 <td>Jul 3, 2014</td> 1925 </tr> 1926 <tr> 1927 <td>CVE-2014-9791</td> 1928 <td>A-28803396<br> 1929 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=9aabfc9e7775abbbcf534cdecccc4f12ee423b27">QC-CR659364</a></td> 1930 <td>High</td> 1931 <td>Nexus 7 (2013)</td> 1932 <td>Aug 29, 2014</td> 1933 </tr> 1934 <tr> 1935 <td>CVE-2014-9796</td> 1936 <td>A-28820722<br> 1937 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=2e21b3a57cac7fb876bcf43244d7cc3dc1f6030d">QC-CR684756</a></td> 1938 <td>High</td> 1939 <td>Nexus 5, Nexus 7 (2013)</td> 1940 <td>Sep 30, 2014</td> 1941 </tr> 1942 <tr> 1943 <td>CVE-2014-9800</td> 1944 <td>A-28822150<br> 1945 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=6390f200d966dc13cf61bb5abbe3110447ca82b5">QC-CR692478</a></td> 1946 <td>High</td> 1947 <td>Nexus 5, Nexus 7 (2013)</td> 1948 <td>Oct 31, 2014</td> 1949 </tr> 1950 <tr> 1951 <td>CVE-2014-9799</td> 1952 <td>A-28821731<br> 1953 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=c2119f1fba46f3b6e153aa018f15ee46fe6d5b76">QC-CR691916</a></td> 1954 <td>High</td> 1955 <td>Nexus 5, Nexus 7 (2013)</td> 1956 <td>Oct 31, 2014</td> 1957 </tr> 1958 <tr> 1959 <td>CVE-2014-9801</td> 1960 <td>A-28822060<br> 1961 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=cf8f5a105bafda906ccb7f149d1a5b8564ce20c0">QC-CR705078</a></td> 1962 <td>High</td> 1963 <td>Nexus 5</td> 1964 <td>Nov 28, 2014</td> 1965 </tr> 1966 <tr> 1967 <td>CVE-2014-9802</td> 1968 <td>A-28821965<br> 1969 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=222e0ec9bc755bfeaa74f9a0052b7c709a4ad054">QC-CR705108</a></td> 1970 <td>High</td> 1971 <td>Nexus 5, Nexus 7 (2013)</td> 1972 <td>Dec 31, 2014</td> 1973 </tr> 1974 <tr> 1975 <td>CVE-2015-8891</td> 1976 <td>A-28842418<br> 1977 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=4f829bb52d0338c87bc6fbd0414b258f55cc7c62">QC-CR813930</a></td> 1978 <td>High</td> 1979 <td>Nexus 5, Nexus 7 (2013)</td> 1980 <td>May 29, 2015</td> 1981 </tr> 1982 <tr> 1983 <td>CVE-2015-8888</td> 1984 <td>A-28822465<br> 1985 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=1321f34f1ebcff61ad7e65e507cfd3e9028af19b">QC-CR813933</a></td> 1986 <td>High</td> 1987 <td>Nexus 5</td> 1988 <td>Jun 30, 2015</td> 1989 </tr> 1990 <tr> 1991 <td>CVE-2015-8889</td> 1992 <td>A-28822677<br> 1993 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=fa774e023554427ee14d7a49181e9d4afbec035e">QC-CR804067</a></td> 1994 <td>High</td> 1995 <td>Nexus 6P</td> 1996 <td>Jun 30, 2015</td> 1997 </tr> 1998 <tr> 1999 <td>CVE-2015-8890</td> 2000 <td>A-28822878<br> 2001 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=e22aca36da2bb6f5016f3c885eb8c8ff85c115e4">QC-CR823461</a></td> 2002 <td>High</td> 2003 <td>Nexus 5, Nexus 7 (2013)</td> 2004 <td>Aug 19, 2015</td> 2005 </tr> 2006</table> 2007<p>* The severity rating for these issues is provided directly by Qualcomm.</p> 2008 2009<h3 id="elevation-of-privilege-vulnerability-in-qualcomm-usb-driver"> 2010Elevation of privilege vulnerability in Qualcomm USB driver</h3> 2011<p>An elevation of privilege vulnerability in the Qualcomm USB driver could enable 2012a local malicious application to execute arbitrary code within the context of 2013the kernel. This issue is rated as High because it first requires compromising a 2014privileged process.</p> 2015 2016<table> 2017 <col width="19%"> 2018 <col width="16%"> 2019 <col width="10%"> 2020 <col width="27%"> 2021 <col width="16%"> 2022 <tr> 2023 <th>CVE</th> 2024 <th>References</th> 2025 <th>Severity</th> 2026 <th>Updated Nexus devices</th> 2027 <th>Date reported</th> 2028 </tr> 2029 <tr> 2030 <td>CVE-2016-2502</td> 2031 <td>A-27657963 2032 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=0bc45d7712eabe315ce8299a49d16433c3801156">QC-CR997044</a></td> 2033 <td>High</td> 2034 <td>Nexus 5X, Nexus 6P</td> 2035 <td>Mar 11, 2016</td> 2036 </tr> 2037</table> 2038 2039<h3 id="elevation-of-privilege-vulnerability-in-qualcomm-wi-fi-driver"> 2040Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</h3> 2041<p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could 2042enable a local malicious application to execute arbitrary code within the 2043context of the kernel. This issue is rated as High because it first requires 2044compromising a privileged process.</p> 2045 2046<table> 2047 <col width="19%"> 2048 <col width="16%"> 2049 <col width="10%"> 2050 <col width="27%"> 2051 <col width="16%"> 2052 <tr> 2053 <th>CVE</th> 2054 <th>References</th> 2055 <th>Severity</th> 2056 <th>Updated Nexus devices</th> 2057 <th>Date reported</th> 2058 </tr> 2059 <tr> 2060 <td>CVE-2016-3792</td> 2061 <td>A-27725204 2062 <a href="https://us.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=28d4f0c1f712bffb4aa5b47f06e97d5a9fa06d29">QC-CR561022</a></td> 2063 <td>High</td> 2064 <td>Nexus 7 (2013)</td> 2065 <td>Mar 17, 2016</td> 2066 </tr> 2067</table> 2068 2069<h3 id="elevation-of-privilege-vulnerability-in-qualcomm-camera-driver"> 2070Elevation of privilege vulnerability in Qualcomm camera driver</h3> 2071<p>An elevation of privilege vulnerability in the Qualcomm camera driver could 2072enable a local malicious application to execute arbitrary code within the 2073context of the kernel. This issue is rated as High because it first requires 2074compromising a privileged process.</p> 2075 2076<table> 2077 <col width="19%"> 2078 <col width="16%"> 2079 <col width="10%"> 2080 <col width="27%"> 2081 <col width="16%"> 2082 <tr> 2083 <th>CVE</th> 2084 <th>References</th> 2085 <th>Severity</th> 2086 <th>Updated Nexus devices</th> 2087 <th>Date reported</th> 2088 </tr> 2089 <tr> 2090 <td>CVE-2016-2501</td> 2091 <td>A-27890772* 2092 QC-CR1001092</td> 2093 <td>High</td> 2094 <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013)</td> 2095 <td>Mar 27, 2016</td> 2096 </tr> 2097</table> 2098<p>* The patch for this issue is not publicly available. The update is contained in 2099the latest binary drivers for Nexus devices available from the 2100<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2101 2102<h3 id="elevation-of-privilege-vulnerability-in-nvidia-camera-driver"> 2103Elevation of privilege vulnerability in NVIDIA camera driver</h3> 2104<p>An elevation of privilege vulnerability in the NVIDIA camera driver could enable 2105a local malicious application to execute arbitrary code within the context of 2106the kernel. This issue is rated as High because it first requires compromising a 2107privileged process.</p> 2108 2109<table> 2110 <col width="19%"> 2111 <col width="20%"> 2112 <col width="10%"> 2113 <col width="23%"> 2114 <col width="16%"> 2115 <tr> 2116 <th>CVE</th> 2117 <th>References</th> 2118 <th>Severity</th> 2119 <th>Updated Nexus devices</th> 2120 <th>Date reported</th> 2121 </tr> 2122 <tr> 2123 <td>CVE-2016-3793</td> 2124 <td>A-28026625*<br> 2125 N-CVE20163793</td> 2126 <td>High</td> 2127 <td>Nexus 9</td> 2128 <td>Apr 5, 2016</td> 2129 </tr> 2130</table> 2131<p>* The patch for this issue is not publicly available. The update is contained in 2132the latest binary drivers for Nexus devices available from the 2133<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2134 2135<h3 id="elevation-of-privilege-vulnerability-in-mediatek-power-driver"> 2136Elevation of privilege vulnerability in MediaTek power driver</h3> 2137<p>An elevation of privilege in the MediaTek power driver could enable a local 2138malicious application to execute arbitrary code within the context of the 2139kernel. This issue is rated as High because it first requires compromising a 2140privileged process.</p> 2141 2142<table> 2143 <col width="19%"> 2144 <col width="20%"> 2145 <col width="10%"> 2146 <col width="23%"> 2147 <col width="16%"> 2148 <tr> 2149 <th>CVE</th> 2150 <th>References</th> 2151 <th>Severity</th> 2152 <th>Updated Nexus devices</th> 2153 <th>Date reported</th> 2154 </tr> 2155 <tr> 2156 <td>CVE-2016-3795</td> 2157 <td>A-28085222*<br> 2158 M-ALPS02677244</td> 2159 <td>High</td> 2160 <td>Android One</td> 2161 <td>Apr 7, 2016</td> 2162 </tr> 2163 <tr> 2164 <td>CVE-2016-3796</td> 2165 <td>A-29008443*<br> 2166 M-ALPS02677244</td> 2167 <td>High</td> 2168 <td>Android One</td> 2169 <td>Apr 7, 2016</td> 2170 </tr> 2171</table> 2172<p>* The patch for this issue is not publicly available. The update is contained in 2173the latest binary drivers for Nexus devices available from the 2174<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2175 2176<h3 id="elevation-of-privilege-vulnerability-in-qualcomm-wi-fi-driver-2"> 2177Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</h3> 2178<p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could 2179enable a local malicious application to execute arbitrary code within the 2180context of the kernel. This issue is rated as High because it first requires 2181compromising a privileged process.</p> 2182 2183<table> 2184 <col width="19%"> 2185 <col width="16%"> 2186 <col width="10%"> 2187 <col width="27%"> 2188 <col width="16%"> 2189 <tr> 2190 <th>CVE</th> 2191 <th>References</th> 2192 <th>Severity</th> 2193 <th>Updated Nexus devices</th> 2194 <th>Date reported</th> 2195 </tr> 2196 <tr> 2197 <td>CVE-2016-3797</td> 2198 <td>A-28085680* 2199 QC-CR1001450</td> 2200 <td>High</td> 2201 <td>Nexus 5X</td> 2202 <td>Apr 7, 2016</td> 2203 </tr> 2204</table> 2205<p>* The patch for this issue is not publicly available. The update is contained in 2206the latest binary drivers for Nexus devices available from the 2207<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2208 2209<h3 id="elevation-of-privilege-vulnerability-in-mediatek-hardware-sensor-driver"> 2210Elevation of privilege vulnerability in MediaTek hardware sensor driver</h3> 2211<p>An elevation of privilege vulnerability in the MediaTek hardware sensor driver 2212could enable a local malicious application to execute arbitrary code within the 2213context of the kernel. This issue is rated as High because it first requires 2214compromising a privileged process.</p> 2215 2216<table> 2217 <col width="19%"> 2218 <col width="20%"> 2219 <col width="10%"> 2220 <col width="23%"> 2221 <col width="16%"> 2222 <tr> 2223 <th>CVE</th> 2224 <th>References</th> 2225 <th>Severity</th> 2226 <th>Updated Nexus devices</th> 2227 <th>Date reported</th> 2228 </tr> 2229 <tr> 2230 <td>CVE-2016-3798</td> 2231 <td>A-28174490*<br> 2232 M-ALPS02703105</td> 2233 <td>High</td> 2234 <td>Android One</td> 2235 <td>Apr 11, 2016</td> 2236 </tr> 2237</table> 2238<p>* The patch for this issue is not publicly available. The update is contained in 2239the latest binary drivers for Nexus devices available from the 2240<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2241 2242<h3 id="elevation-of-privilege-vulnerability-in-mediatek-video-driver"> 2243Elevation of privilege vulnerability in MediaTek video driver</h3> 2244<p>An elevation of privilege vulnerability in the MediaTek video driver could 2245enable a local malicious application to execute arbitrary code within the 2246context of the kernel. This issue is rated as High because it first requires 2247compromising a privileged process.</p> 2248 2249<table> 2250 <col width="19%"> 2251 <col width="20%"> 2252 <col width="10%"> 2253 <col width="23%"> 2254 <col width="16%"> 2255 <tr> 2256 <th>CVE</th> 2257 <th>References</th> 2258 <th>Severity</th> 2259 <th>Updated Nexus devices</th> 2260 <th>Date reported</th> 2261 </tr> 2262 <tr> 2263 <td>CVE-2016-3799</td> 2264 <td>A-28175025*<br> 2265 M-ALPS02693738</td> 2266 <td>High</td> 2267 <td>Android One</td> 2268 <td>Apr 11, 2016</td> 2269 </tr> 2270 <tr> 2271 <td>CVE-2016-3800</td> 2272 <td>A-28175027*<br> 2273 M-ALPS02693739</td> 2274 <td>High</td> 2275 <td>Android One</td> 2276 <td>Apr 11, 2016</td> 2277 </tr> 2278</table> 2279<p>* The patch for this issue is not publicly available. The update is contained in 2280the latest binary drivers for Nexus devices available from the 2281<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2282 2283<h3 id="elevation-of-privilege-vulnerability-in-mediatek-gps-driver"> 2284Elevation of privilege vulnerability in MediaTek GPS driver</h3> 2285<p>An elevation of privilege vulnerability in the MediaTek GPS driver could enable 2286a local malicious application to execute arbitrary code within the context of 2287the kernel. This issue is rated as High because it first requires compromising a 2288privileged process.</p> 2289 2290<table> 2291 <col width="19%"> 2292 <col width="20%"> 2293 <col width="10%"> 2294 <col width="23%"> 2295 <col width="16%"> 2296 <tr> 2297 <th>CVE</th> 2298 <th>References</th> 2299 <th>Severity</th> 2300 <th>Updated Nexus devices</th> 2301 <th>Date reported</th> 2302 </tr> 2303 <tr> 2304 <td>CVE-2016-3801</td> 2305 <td>A-28174914*<br> 2306 M-ALPS02688853</td> 2307 <td>High</td> 2308 <td>Android One</td> 2309 <td>Apr 11, 2016</td> 2310 </tr> 2311</table> 2312<p>* The patch for this issue is not publicly available. The update is contained in 2313the latest binary drivers for Nexus devices available from the 2314<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2315 2316<h3 id="elevation-of-privilege-vulnerability-in-kernel-file-system-2"> 2317Elevation of privilege vulnerability in kernel file system</h3> 2318<p>An elevation of privilege vulnerability in the kernel file system could enable a 2319local malicious application to execute arbitrary code within the context of the 2320kernel. This issue is rated as High because it first requires compromising a 2321privileged process.</p> 2322 2323<table> 2324 <col width="19%"> 2325 <col width="16%"> 2326 <col width="10%"> 2327 <col width="27%"> 2328 <col width="16%"> 2329 <tr> 2330 <th>CVE</th> 2331 <th>References</th> 2332 <th>Severity</th> 2333 <th>Updated Nexus devices</th> 2334 <th>Date reported</th> 2335 </tr> 2336 <tr> 2337 <td>CVE-2016-3802</td> 2338 <td>A-28271368*</td> 2339 <td>High</td> 2340 <td>Nexus 9</td> 2341 <td>Apr 19, 2016</td> 2342 </tr> 2343 <tr> 2344 <td>CVE-2016-3803</td> 2345 <td>A-28588434*</td> 2346 <td>High</td> 2347 <td>Nexus 5X, Nexus 6P</td> 2348 <td>May 4, 2016</td> 2349 </tr> 2350</table> 2351<p>* The patch for this issue is not publicly available. The update is contained in 2352the latest binary drivers for Nexus devices available from the 2353<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2354 2355<h3 id="elevation-of-privilege-vulnerability-in-mediatek-power-management-driver"> 2356Elevation of privilege vulnerability in MediaTek power management driver</h3> 2357<p>An elevation of privilege in the MediaTek power management driver could enable a 2358local malicious application to execute arbitrary code within the context of the 2359kernel. This issue is rated as High because it first requires compromising a 2360privileged process.</p> 2361 2362<table> 2363 <col width="19%"> 2364 <col width="20%"> 2365 <col width="10%"> 2366 <col width="23%"> 2367 <col width="16%"> 2368 <tr> 2369 <th>CVE</th> 2370 <th>References</th> 2371 <th>Severity</th> 2372 <th>Updated Nexus devices</th> 2373 <th>Date reported</th> 2374 </tr> 2375 <tr> 2376 <td>CVE-2016-3804</td> 2377 <td>A-28332766*<br> 2378 M-ALPS02694410</td> 2379 <td>High</td> 2380 <td>Android One</td> 2381 <td>Apr 20, 2016</td> 2382 </tr> 2383 <tr> 2384 <td>CVE-2016-3805</td> 2385 <td>A-28333002*<br> 2386 M-ALPS02694412</td> 2387 <td>High</td> 2388 <td>Android One</td> 2389 <td>Apr 21, 2016</td> 2390 </tr> 2391</table> 2392<p>* The patch for this issue is not publicly available. The update is contained in 2393the latest binary drivers for Nexus devices available from the 2394<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2395 2396<h3 id="elevation-of-privilege-vulnerability-in-mediatek-display-driver"> 2397Elevation of privilege vulnerability in MediaTek display driver</h3> 2398<p>An elevation of privilege vulnerability in the MediaTek display driver could 2399enable a local malicious application to execute arbitrary code within the 2400context of the kernel. This issue is rated as High because it first requires 2401compromising a privileged process.</p> 2402 2403<table> 2404 <col width="19%"> 2405 <col width="20%"> 2406 <col width="10%"> 2407 <col width="23%"> 2408 <col width="16%"> 2409 <tr> 2410 <th>CVE</th> 2411 <th>References</th> 2412 <th>Severity</th> 2413 <th>Updated Nexus devices</th> 2414 <th>Date reported</th> 2415 </tr> 2416 <tr> 2417 <td>CVE-2016-3806</td> 2418 <td>A-28402341*<br> 2419 M-ALPS02715341</td> 2420 <td>High</td> 2421 <td>Android One</td> 2422 <td>Apr 26, 2016</td> 2423 </tr> 2424</table> 2425<p>* The patch for this issue is not publicly available. The update is contained in 2426the latest binary drivers for Nexus devices available from the 2427<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2428 2429<h3 id="elevation-of-privilege-vulnerability-in-serial-peripheral-interface-driver"> 2430Elevation of privilege vulnerability in serial peripheral interface driver</h3> 2431<p>An elevation of privilege vulnerability in the serial peripheral interface 2432driver could enable a local malicious application to execute arbitrary code 2433within the context of the kernel. This issue is rated as High because it first 2434requires compromising a privileged process.</p> 2435 2436<table> 2437 <col width="19%"> 2438 <col width="16%"> 2439 <col width="10%"> 2440 <col width="27%"> 2441 <col width="16%"> 2442 <tr> 2443 <th>CVE</th> 2444 <th>References</th> 2445 <th>Severity</th> 2446 <th>Updated Nexus devices</th> 2447 <th>Date reported</th> 2448 </tr> 2449 <tr> 2450 <td>CVE-2016-3807</td> 2451 <td>A-28402196*</td> 2452 <td>High</td> 2453 <td>Nexus 5X, Nexus 6P</td> 2454 <td>Apr 26, 2016</td> 2455 </tr> 2456 <tr> 2457 <td>CVE-2016-3808</td> 2458 <td>A-28430009*</td> 2459 <td>High</td> 2460 <td>Pixel C</td> 2461 <td>Apr 26, 2016</td> 2462 </tr> 2463</table> 2464<p>* The patch for this issue is not publicly available. The update is contained in 2465the latest binary drivers for Nexus devices available from the 2466<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2467 2468<h3 id="elevation-of-privilege-vulnerability-in-qualcomm-sound-driver"> 2469Elevation of privilege vulnerability in Qualcomm sound driver</h3> 2470<p>An elevation of privilege vulnerability in the Qualcomm sound driver could 2471enable a local malicious application to execute arbitrary code within the 2472context of the kernel. This issue is rated as High severity because it first 2473requires compromising a privileged process.</p> 2474 2475<table> 2476 <col width="19%"> 2477 <col width="16%"> 2478 <col width="10%"> 2479 <col width="27%"> 2480 <col width="16%"> 2481 <tr> 2482 <th>CVE</th> 2483 <th>References</th> 2484 <th>Severity</th> 2485 <th>Updated Nexus devices</th> 2486 <th>Date reported</th> 2487 </tr> 2488 <tr> 2489 <td>CVE-2016-2068</td> 2490 <td>A-28470967 2491 <a href="https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?h=APSS.FSM.3.0&id=01ee86da5a0cd788f134e360e2be517ef52b6b00">QC-CR1006609</a></td> 2492 <td>High</td> 2493 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 2494 <td>Apr 28, 2016</td> 2495 </tr> 2496</table> 2497 2498<h3 id="elevation-of-privilege-vulnerability-in-kernel"> 2499Elevation of privilege vulnerability in kernel</h3> 2500<p>An elevation of privilege vulnerability in the kernel could enable a local 2501malicious application to execute arbitrary code within the context of the 2502kernel. This issue is rated as High because it first requires compromising a 2503privileged process.</p> 2504 2505<table> 2506 <col width="19%"> 2507 <col width="20%"> 2508 <col width="10%"> 2509 <col width="23%"> 2510 <col width="16%"> 2511 <tr> 2512 <th>CVE</th> 2513 <th>References</th> 2514 <th>Severity</th> 2515 <th>Updated Nexus devices</th> 2516 <th>Date reported</th> 2517 </tr> 2518 <tr> 2519 <td>CVE-2014-9803</td> 2520 <td>A-28557020<br> 2521 <a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/arch/arm64/include/asm/pgtable.h?h=linux-3.10.y&id=5a0fdfada3a2aa50d7b947a2e958bf00cbe0d830"> 2522 Upstream kernel</a></td> 2523 <td>High</td> 2524 <td>Nexus 5X, Nexus 6P</td> 2525 <td>Google internal</td> 2526 </tr> 2527</table> 2528 2529<h3 2530id="information-disclosure-vulnerability-in-networking-component"> 2531Information disclosure vulnerability in networking component</h3> 2532<p>An information disclosure vulnerability in the networking component could enable 2533a local malicious application to access data outside of its permission levels. 2534This issue is rated as High because it could be used to access sensitive data 2535without explicit user permission.</p> 2536 2537<table> 2538 <col width="19%"> 2539 <col width="16%"> 2540 <col width="10%"> 2541 <col width="27%"> 2542 <col width="16%"> 2543 <tr> 2544 <th>CVE</th> 2545 <th>References</th> 2546 <th>Severity</th> 2547 <th>Updated Nexus devices</th> 2548 <th>Date reported</th> 2549 </tr> 2550 <tr> 2551 <td>CVE-2016-3809</td> 2552 <td>A-27532522*</td> 2553 <td>High</td> 2554 <td><a href="#all_nexus">All Nexus</a></td> 2555 <td>Mar 5, 2016</td> 2556 </tr> 2557</table> 2558<p>* The patch for this issue is not publicly available. The update is contained in 2559the latest binary drivers for Nexus devices available from the 2560<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2561 2562<h3 id="information-disclosure-vulnerability-in-mediatek-wi-fi-driver"> 2563Information disclosure vulnerability in MediaTek Wi-Fi driver</h3> 2564<p>An information disclosure vulnerability in the MediaTek Wi-Fi driver could 2565enable a local malicious application to access data outside of its permission 2566levels. This issue is rated as High because it could be used to access sensitive 2567data without explicit user permission.</p> 2568 2569<table> 2570 <col width="19%"> 2571 <col width="20%"> 2572 <col width="10%"> 2573 <col width="23%"> 2574 <col width="16%"> 2575 <tr> 2576 <th>CVE</th> 2577 <th>References</th> 2578 <th>Severity</th> 2579 <th>Updated Nexus devices</th> 2580 <th>Date reported</th> 2581 </tr> 2582 <tr> 2583 <td>CVE-2016-3810</td> 2584 <td>A-28175522*<br> 2585 M-ALPS02694389</td> 2586 <td>High</td> 2587 <td>Android One</td> 2588 <td>Apr 12, 2016</td> 2589 </tr> 2590</table> 2591<p>* The patch for this issue is not publicly available. The update is contained in 2592the latest binary drivers for Nexus devices available from the 2593<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2594 2595<h3 id="elevation-of-privilege-vulnerability-in-kernel-video-driver"> 2596Elevation of privilege vulnerability in kernel video driver</h3> 2597<p>An elevation of privilege vulnerability in the kernel video driver could enable 2598a local malicious application to execute arbitrary code within the context of 2599the kernel. This issue is rated as Moderate because it first requires 2600compromising a privileged process.</p> 2601 2602<table> 2603 <col width="19%"> 2604 <col width="16%"> 2605 <col width="10%"> 2606 <col width="27%"> 2607 <col width="16%"> 2608 <tr> 2609 <th>CVE</th> 2610 <th>References</th> 2611 <th>Severity</th> 2612 <th>Updated Nexus devices</th> 2613 <th>Date reported</th> 2614 </tr> 2615 <tr> 2616 <td>CVE-2016-3811</td> 2617 <td>A-28447556*</td> 2618 <td>Moderate</td> 2619 <td>Nexus 9</td> 2620 <td>Google internal</td> 2621 </tr> 2622</table> 2623<p>* The patch for this issue is not publicly available. The update is contained in 2624the latest binary drivers for Nexus devices available from the 2625<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2626 2627<h3 id="information-disclosure-vulnerability-in-mediatek-video-codec-driver"> 2628Information disclosure vulnerability in MediaTek video codec driver</h3> 2629<p>An information disclosure vulnerability in the MediaTek video codec driver could 2630enable a local malicious application to access data outside of its permission 2631levels. This issue is rated as Moderate because it first requires compromising a 2632privileged process.</p> 2633 2634<table> 2635 <col width="19%"> 2636 <col width="20%"> 2637 <col width="10%"> 2638 <col width="23%"> 2639 <col width="16%"> 2640 <tr> 2641 <th>CVE</th> 2642 <th>References</th> 2643 <th>Severity</th> 2644 <th>Updated Nexus devices</th> 2645 <th>Date reported</th> 2646 </tr> 2647 <tr> 2648 <td>CVE-2016-3812</td> 2649 <td>A-28174833*<br> 2650 M-ALPS02688832</td> 2651 <td>Moderate</td> 2652 <td>Android One</td> 2653 <td>Apr 11, 2016</td> 2654 </tr> 2655</table> 2656<p>* The patch for this issue is not publicly available. The update is contained in 2657the latest binary drivers for Nexus devices available from the 2658<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2659 2660<h3 id="information-disclosure-vulnerability-in-qualcomm-usb-driver"> 2661Information disclosure vulnerability in Qualcomm USB driver</h3> 2662<p>An information disclosure vulnerability in the Qualcomm USB driver could enable 2663a local malicious application to access data outside of its permission levels. 2664This issue is rated as Moderate because it first requires compromising a 2665privileged process.</p> 2666 2667<table> 2668 <col width="19%"> 2669 <col width="16%"> 2670 <col width="10%"> 2671 <col width="27%"> 2672 <col width="16%"> 2673 <tr> 2674 <th>CVE</th> 2675 <th>References</th> 2676 <th>Severity</th> 2677 <th>Updated Nexus devices</th> 2678 <th>Date reported</th> 2679 </tr> 2680 <tr> 2681 <td>CVE-2016-3813</td> 2682 <td>A-28172322* 2683 QC-CR1010222</td> 2684 <td>Moderate</td> 2685 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td> 2686 <td>Apr 11, 2016</td> 2687 </tr> 2688</table> 2689<p>* The patch for this issue is not publicly available. The update is contained in 2690the latest binary drivers for Nexus devices available from the 2691<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2692 2693<h3 id="information-disclosure-vulnerability-in-nvidia-camera-driver"> 2694Information disclosure vulnerability in NVIDIA camera driver</h3> 2695<p>An information disclosure vulnerability in the NVIDIA camera driver could enable 2696a local malicious application to access data outside of its permission levels. 2697This issue is rated as Moderate because it first requires compromising a 2698privileged process.</p> 2699 2700<table> 2701 <col width="19%"> 2702 <col width="20%"> 2703 <col width="10%"> 2704 <col width="23%"> 2705 <col width="16%"> 2706 <tr> 2707 <th>CVE</th> 2708 <th>References</th> 2709 <th>Severity</th> 2710 <th>Updated Nexus devices</th> 2711 <th>Date reported</th> 2712 </tr> 2713 <tr> 2714 <td>CVE-2016-3814</td> 2715 <td>A-28193342*<br> 2716 N-CVE20163814</td> 2717 <td>Moderate</td> 2718 <td>Nexus 9</td> 2719 <td>Apr 14, 2016</td> 2720 </tr> 2721 <tr> 2722 <td>CVE-2016-3815</td> 2723 <td>A-28522274*<br> 2724 N-CVE20163815</td> 2725 <td>Moderate</td> 2726 <td>Nexus 9</td> 2727 <td>May 1, 2016</td> 2728 </tr> 2729</table> 2730<p>* The patch for this issue is not publicly available. The update is contained in 2731the latest binary drivers for Nexus devices available from the 2732<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2733 2734<h3 id="information-disclosure-vulnerability-in-mediatek-display-driver"> 2735Information disclosure vulnerability in MediaTek display driver</h3> 2736<p>An information disclosure vulnerability in the MediaTek display driver could 2737enable a local malicious application to access data outside of its permission 2738levels. This issue is rated as Moderate because it first requires compromising a 2739privileged process.</p> 2740 2741<table> 2742 <col width="19%"> 2743 <col width="16%"> 2744 <col width="10%"> 2745 <col width="27%"> 2746 <col width="16%"> 2747 <tr> 2748 <th>CVE</th> 2749 <th>References</th> 2750 <th>Severity</th> 2751 <th>Updated Nexus devices</th> 2752 <th>Date reported</th> 2753 </tr> 2754 <tr> 2755 <td>CVE-2016-3816</td> 2756 <td>A-28402240*</td> 2757 <td>Moderate</td> 2758 <td>Android One</td> 2759 <td>Apr 26, 2016</td> 2760 </tr> 2761</table> 2762<p>* The patch for this issue is not publicly available. The update is contained in 2763the latest binary drivers for Nexus devices available from the 2764<a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 2765 2766<h3 id="information-disclosure-vulnerability-in-kernel-teletype-driver"> 2767Information disclosure vulnerability in kernel teletype driver</h3> 2768<p>An information disclosure vulnerability in the teletype driver could enable a 2769local malicious application to access data outside of its permission levels. 2770This issue is rated as Moderate because it first requires compromising a 2771privileged process.</p> 2772 2773<table> 2774 <col width="19%"> 2775 <col width="20%"> 2776 <col width="10%"> 2777 <col width="23%"> 2778 <col width="16%"> 2779 <tr> 2780 <th>CVE</th> 2781 <th>References</th> 2782 <th>Severity</th> 2783 <th>Updated Nexus devices</th> 2784 <th>Date reported</th> 2785 </tr> 2786 <tr> 2787 <td>CVE-2016-0723</td> 2788 <td>A-28409131<br> 2789 <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5c17c861a357e9458001f021a7afa7aab9937439">Upstream 2790kernel</a></td> 2791 <td>Moderate</td> 2792 <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus 2793 Player, Pixel C</td> 2794 <td>Apr 26, 2016</td> 2795 </tr> 2796</table> 2797 2798<h3 id="denial-of-service-vulnerability-in-qualcomm-bootloader"> 2799Denial of service vulnerability in Qualcomm bootloader</h3> 2800<p>A denial of service vulnerability in the Qualcomm bootloader could enable a 2801local malicious application to cause a local permanent device compromise, which 2802may require reflashing the operating system to repair the device. This issue is 2803rated as Moderate because it first requires compromising a privileged process.</p> 2804 2805<table> 2806 <col width="19%"> 2807 <col width="16%"> 2808 <col width="10%"> 2809 <col width="27%"> 2810 <col width="16%"> 2811 <tr> 2812 <th>CVE</th> 2813 <th>References</th> 2814 <th>Severity</th> 2815 <th>Updated Nexus devices</th> 2816 <th>Date reported</th> 2817 </tr> 2818 <tr> 2819 <td>CVE-2014-9798</td> 2820 <td>A-28821448 2821 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=b05eed2491a098bf627ac485a5b43d2f4fae2484">QC-CR681965</a></td> 2822 <td>Moderate</td> 2823 <td>Nexus 5</td> 2824 <td>Oct 31, 2014</td> 2825 </tr> 2826 <tr> 2827 <td>CVE-2015-8893</td> 2828 <td>A-28822690 2829 <a href="https://us.codeaurora.org/cgit/quic/la//kernel/lk/commit/?id=800255e8bfcc31a02e89460460e3811f225e7a69">QC-CR822275</a></td> 2830 <td>Moderate</td> 2831 <td>Nexus 5, Nexus 7 (2013)</td> 2832 <td>Aug 19, 2015</td> 2833 </tr> 2834</table> 2835<h2 id="common-questions-and-answers">Common questions and answers</h2> 2836<p>This section answers common questions that may occur after reading this 2837bulletin.</p> 2838 2839<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 2840<p>Security Patch Levels of 2016-07-01 or later address all issues associated with 2841the 2016-7-01 security patch string level. Security Patch Levels of 2016-07-05 2842or later address all issues associated with the 2016-07-05 security patch string 2843level. Refer to the <a 2844href="https://support.google.com/nexus/answer/4457705">help center</a> 2845for instructions on how to check the security patch level. Device manufacturers 2846that include these updates should set the patch string level to: 2847[ro.build.version.security_patch]:[2016-07-01] or 2848[ro.build.version.security_patch]:[2016-07-05].</p> 2849 2850<p><strong>2. Why does this bulletin have two security patch level strings?</strong></p> 2851<p>This bulletin has two security patch level strings in order to provide 2852Android partners with the flexibility to move more quickly to fix a subset of 2853vulnerabilities that are similar across all Android devices. Android partners 2854are encouraged to fix all issues in this bulletin and use the latest security 2855patch level string.</p> 2856<p>Devices that use the security patch level of July 5, 2016 or newer must 2857include all applicable patches in this (and previous) security bulletins.</p> 2858<p>Devices that use the July 1, 2016 security patch level must include all 2859issues associated with that security patch level, as well as fixes for all 2860issues reported in previous security bulletins. Devices that use July 1, 2016 2861security patch level may also include a subset of fixes associated with the 2862July 5, 2016 security patch level.</p> 2863 2864<p id="all_nexus"><strong>3. How do I determine which Nexus devices are affected 2865by each issue?</strong></p> 2866<p>In the <a href="#2016-07-01_details">2016-07-01</a> and 2867<a href="#2016-07-05_details">2016-07-05</a> security vulnerability details sections, 2868each table has an Updated Nexus devices column that covers the range of affected 2869Nexus devices updated for each issue. This column has a few options:</p> 2870<ul> 2871 <li><strong>All Nexus devices</strong>: If an issue affects all Nexus devices, 2872 the table will have “All Nexus” in the <em>Updated Nexus devices</em> column. 2873 “All Nexus” encapsulates the following 2874 <a href="https://support.google.com/nexus/answer/4457705#nexus_devices">supported 2875 devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, 2876 Android One, Nexus Player, and Pixel C.</li> 2877 <li><strong>Some Nexus devices</strong>: If an issue doesn’t affect all Nexus 2878 devices, the affected Nexus devices are listed in the <em>Updated Nexus 2879 devices</em> column.</li> 2880 <li><strong>No Nexus devices</strong>: If no Nexus devices are affected by the 2881 issue, the table will have “None” in the <em>Updated Nexus devices</em> column.</li> 2882</ul> 2883 2884<p><strong>4. What do the entries in the references column map to?</strong></p> 2885<p>Entries under the <em>References</em> column of the vulnerability details table may 2886contain a prefix identifying the organization to which the reference value belongs. These prefixes 2887map as follows:</p> 2888 2889<table> 2890 <tr> 2891 <th>Prefix</th> 2892 <th>Reference</th> 2893 </tr> 2894 <tr> 2895 <td>A-</td> 2896 <td>Android bug ID</td> 2897 </tr> 2898 <tr> 2899 <td>QC-</td> 2900 <td>Qualcomm reference number</td> 2901 </tr> 2902 <tr> 2903 <td>M-</td> 2904 <td>MediaTek reference number</td> 2905 </tr> 2906 <tr> 2907 <td>N-</td> 2908 <td>NVIDIA reference number</td> 2909 </tr> 2910</table> 2911 2912<h2 id="revisions">Revisions</h2> 2913<ul> 2914 <li>July 06, 2016: Bulletin published.</li> 2915 <li>July 07, 2016: 2916 <ul> 2917 <li>Added AOSP links. 2918 <li>Removed CVE-2016-3794 because it is a duplicate of CVE-2016-3814 2919 <li>Added attribution for CVE-2016-2501 and CVE-2016-2502 2920 </ul> 2921 </li> 2922 <li>July 11, 2016: Updated attribution for CVE-2016-3750</li> 2923 <li>July 14, 2016: Updated attribution for CVE-2016-2503</li> 2924</ul> 2925