Permissions, Privileges, and Access Controls in Google Android - CVE-2016-3888
Published: September 12, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40111
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-3888
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Google Android
Google Android
Detailed vulnerability description
The vulnerability allows a local authenticated user to manipulate data.
internal/telephony/SMSDispatcher.java in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism, and send premium SMS messages during the Setup Wizard provisioning stage, via unspecified vectors, aka internal bug 29420123.
How to mitigate CVE-2016-3888
Install update from vendor's website.