#VU40355 Permissions, Privileges, and Access Controls in Google Android - CVE-2016-2417
Published: April 18, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40355
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2016-2417
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Google Android
Google Android
Software vendor:
Google
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a parameter data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26914474.
Remediation
Install update from vendor's website.