#VU40495 Data Handling in Google Android - CVE-2016-0808

Cybersecurity Help s.r.o.

Published: 2016-02-07 | Updated: 2020-08-09

Vulnerability identifier: #VU40495

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-0808

CWE-ID: CWE-19

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Integer overflow in the getCoverageFormat12 function in CmapCoverage.cpp in the Minikin library in Android 5.x before 5.1.1 LMY49G and 6.x before 2016-02-01 allows attackers to cause a denial of service (continuous rebooting) via an application that triggers loading of a crafted TTF font, aka internal bug 25645298.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Google Android: 5.0 - 5.1.1, 6.0 - 6.0.1

External links
https://source.android.com/security/bulletin/2016-02-01.html
https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Data Handling in Google, Google Android