Google Git
Sign in
android / platform / docs / source.android.com / 90dd9129329995537d4097cdd3263e9982997578 / . / en / security / bulletin / 2016-09-01.html
blob: e1fe1f2aa19b95088a5a15f7b54404d43888265a [file] [log] [blame]
page.title=Android Security Bulletin—September 2016
@jd:body
<!--
Copyright 2016 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<p><em>Published September 06, 2016 | Updated September 12, 2016</em>
</p>
<p>
The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Alongside the bulletin, we have released a security
update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware
images have also been released to the
<a href="https://developers.google.com/android/nexus/images">Google Developer
site</a>. Security Patch Levels of September 06, 2016 or later address these
issues. Refer to the
<a href="https://support.google.com/nexus/answer/4457705#nexus_devices">documentation</a>
to learn how to check the security patch level. Supported Nexus devices will
receive a single OTA update with the September 06, 2016 security patch level.
</p>
<p>
Partners were notified about the issues described in the bulletin on August 05,
2016 or earlier. Where applicable, source code patches for these issues have
been released to the Android Open Source Project (AOSP) repository. This
bulletin also includes links to patches outside of AOSP.
</p>
<p>
The most severe of these issues is a Critical security vulnerability that could
enable remote code execution on an affected device through multiple methods such
as email, web browsing, and MMS when processing media files.
</p>
<p>
We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the
<a href="#mitigations">Android and Google service mitigations</a>
section for details on the <a href="{@docRoot}security/enhancements/index.html">Android
security platform protections</a> and service protections such as SafetyNet,
which improve the security of the Android platform.
</p>
<p>
We encourage all customers to accept these updates to their devices.
</p>
<h2 id="announcements">Announcements</h2>
<ul>
<li>This bulletin has three security patch level strings to provide Android
partners with the flexibility to move more quickly to fix a subset of
vulnerabilities that are similar across all Android devices. See
<a href="#common-questions-and-answers">Common questions and answers</a> for
additional information:
<ul>
<li><strong>2016-09-01</strong>: Partial security patch level string. This
security patch level string indicates that all issues associated with 2016-09-01
(and all previous security patch level strings) are addressed.
<li><strong>2016-09-05</strong>: Partial security patch level string. This
security patch level string indicates that all issues associated with 2016-09-01
and 2016-09-05 (and all previous security patch level strings) are addressed.
<li><strong>2016-09-06</strong>: Complete security patch level string, which
addresses issues that were discovered after partners were notified of most
issues in this bulletin. This security patch level string indicates that all
issues associated with 2016-09-01, 2016-09-05, and 2016-09-06 (and all previous
security patch level strings) are addressed.
<li>Supported Nexus devices will receive a single OTA update with the September
06, 2016 security patch level.</li>
</ul>
</li>
</ul>
<h2>Security vulnerability summary</h2>
<p>
The tables below contains a list of security vulnerabilities, the Common
Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not
Nexus devices are affected. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity
assessment</a> is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are disabled for development purposes or if successfully bypassed.
</p>
<h3 id="2016-09-01-summary">2016-09-01 security patch level—Vulnerability summary</h3>
<p>
Security patch levels of 2016-09-01 or later must address the following issues.
</p>
<table>
<col width="55%">
<col width="20%">
<col width="13%">
<col width="12%">
<tr>
<th>Issue</th>
<th>CVE</th>
<th>Severity</th>
<th>Affects Nexus?</th>
</tr>
<tr>
<td>Remote code execution vulnerability in LibUtils</td>
<td>CVE-2016-3861</td>
<td>Critical</td>
<td>Yes</td>
</tr>
<tr>
<td>Remote code execution vulnerability in Mediaserver</td>
<td>CVE-2016-3862</td>
<td>Critical</td>
<td>Yes</td>
</tr>
<tr>
<td>Remote code execution vulnerability in MediaMuxer</td>
<td>CVE-2016-3863</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Mediaserver</td>
<td>CVE-2016-3870, CVE-2016-3871, CVE-2016-3872</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in device boot</td>
<td>CVE-2016-3875</td>
<td>High</td>
<td>No*</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Settings</td>
<td>CVE-2016-3876</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Denial of service vulnerability in Mediaserver</td>
<td>CVE-2016-3899, CVE-2016-3878,
CVE-2016-3879, CVE-2016-3880, CVE-2016-3881</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Telephony</td>
<td>CVE-2016-3883</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Notification Manager Service</td>
<td>CVE-2016-3884</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Debuggerd</td>
<td>CVE-2016-3885</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in System UI Tuner</td>
<td>CVE-2016-3886</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Settings</td>
<td>CVE-2016-3887</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in SMS</td>
<td>CVE-2016-3888</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Settings</td>
<td>CVE-2016-3889</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Java Debug Wire Protocol</td>
<td>CVE-2016-3890</td>
<td>Moderate</td>
<td>No*</td>
</tr>
<tr>
<td>Information disclosure vulnerability in Mediaserver</td>
<td>CVE-2016-3895</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Information disclosure vulnerability in AOSP Mail</td>
<td>CVE-2016-3896</td>
<td>Moderate</td>
<td>No*</td>
</tr>
<tr>
<td>Information disclosure vulnerability in Wi-Fi</td>
<td>CVE-2016-3897</td>
<td>Moderate</td>
<td>No*</td>
</tr>
<tr>
<td>Denial of service vulnerability in Telephony</td>
<td>CVE-2016-3898</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
</table>
<p>
* Supported Nexus devices on Android 7.0 that have installed all available
updates are not affected by this vulnerability.
</p>
<h3 id="2016-09-05-summary">2016-09-05 security patch level—Vulnerability summary</h3>
<p>
Security patch levels of 2016-09-05 or later must address all of the 2016-09-01
issues as well as the following issues.
</p>
<table>
<col width="55%">
<col width="20%">
<col width="13%">
<col width="12%">
<tr>
<th>Issue</th>
<th>CVE</th>
<th>Severity</th>
<th>Affects Nexus?</th>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel security subsystem</td>
<td>CVE-2014-9529, CVE-2016-4470</td>
<td>Critical</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel networking subsystem</td>
<td>CVE-2013-7446</td>
<td>Critical</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel netfilter subsystem</td>
<td>CVE-2016-3134</td>
<td>Critical</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel USB driver</td>
<td>CVE-2016-3951</td>
<td>Critical</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel sound subsystem</td>
<td>CVE-2014-4655</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel ASN.1 decoder</td>
<td>CVE-2016-2053</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm radio interface layer</td>
<td>CVE-2016-3864</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm subsystem driver</td>
<td>CVE-2016-3858</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel networking driver</td>
<td>CVE-2016-4805</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Synaptics touchscreen driver</td>
<td>CVE-2016-3865</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm camera driver</td>
<td>CVE-2016-3859</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm sound driver</td>
<td>CVE-2016-3866</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm IPA driver</td>
<td>CVE-2016-3867</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm power driver</td>
<td>CVE-2016-3868</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Broadcom Wi-Fi driver</td>
<td>CVE-2016-3869</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel eCryptfs filesystem</td>
<td>CVE-2016-1583</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in NVIDIA kernel</td>
<td>CVE-2016-3873</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</td>
<td>CVE-2016-3874</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Denial of service vulnerability in kernel networking subsystem</td>
<td>CVE-2015-1465, CVE-2015-5364</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Denial of service vulnerability in kernel ext4 file system</td>
<td>CVE-2015-8839</td>
<td>High</td>
<td>Yes</td>
</tr>
<tr>
<td>Information disclosure vulnerability in Qualcomm SPMI driver</td>
<td>CVE-2016-3892</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Information disclosure vulnerability in Qualcomm sound codec</td>
<td>CVE-2016-3893</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Information disclosure vulnerability in Qualcomm DMA component</td>
<td>CVE-2016-3894</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Information disclosure vulnerability in kernel networking subsystem</td>
<td>CVE-2016-4998</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Denial of service vulnerability in kernel networking subsystem</td>
<td>CVE-2015-2922</td>
<td>Moderate</td>
<td>Yes</td>
</tr>
<tr>
<td>Vulnerabilities in Qualcomm components</td>
<td>CVE-2016-2469</td>
<td>High</td>
<td>No</td>
</tr>
</table>
<h3 id="2016-09-06-summary">2016-09-06 security patch level—Vulnerability summary</h3>
<p>
Security patch levels of 2016-09-06 or later must address all of the 2016-09-05
issues and 2016-09-01 issues, as well as the following issues.
</p>
<table>
<col width="55%">
<col width="20%">
<col width="13%">
<col width="12%">
<tr>
<th>Issue</th>
<th>CVE</th>
<th>Severity</th>
<th>Affects Nexus?</th>
</tr>
<tr>
<td>Elevation of privilege vulnerability in kernel shared memory subsystem</td>
<td>CVE-2016-5340</td>
<td>Critical</td>
<td>Yes</td>
</tr>
<tr>
<td>Elevation of privilege vulnerability in Qualcomm networking component</td>
<td>CVE-2016-2059</td>
<td>High</td>
<td>Yes</td>
</tr>
</table>
<h2 id="mitigations">Android and Google service mitigations</h2>
<p>
This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android
security platform</a> and service protections such as SafetyNet. These
capabilities reduce the likelihood that security vulnerabilities could be
successfully exploited on Android.
</p>
<ul>
<li>Exploitation for many issues on Android is made more difficult by
enhancements in newer versions of the Android platform. We encourage all users
to update to the latest version of Android where possible.</li>
<li>The Android Security team actively monitors for abuse with
<a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify
Apps and SafetyNet</a>, which are designed to warn users about
<a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially
Harmful Applications</a>. Verify Apps is enabled by default on devices with
<a href="http://www.android.com/gms">Google Mobile Services</a>, and is especially
important for users who install applications from outside of Google Play. Device
rooting tools are prohibited within Google Play, but Verify Apps warns users
when they attempt to install a detected rooting application—no matter where it
comes from. Additionally, Verify Apps attempts to identify and block
installation of known malicious applications that exploit a privilege escalation
vulnerability. If such an application has already been installed, Verify Apps
will notify the user and attempt to remove the detected application.</li>
<li>As appropriate, Google Hangouts and Messenger applications do not
automatically pass media to processes such as Mediaserver.</li>
</ul>
<h2 id="acknowledgements">Acknowledgements</h2>
<p>
We would like to thank these researchers for their contributions:
</p>
<ul>
<li>Cory Pruce of Carnegie Mellon University: CVE-2016-3897</li>
<li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>)
and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360
Technology Co. Ltd.: CVE-2016-3869, CVE-2016-3865, CVE-2016-3866, CVE-2016-3867</li>
<li>Hao Qin of Security Research Lab, <a href="http://www.cmcm.com">Cheetah
Mobile</a>: CVE-2016-3863</li>
<li>Jann Horn of Google Project Zero: CVE-2016-3885</li>
<li>Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>)
and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360: CVE-2016-3858</li>
<li>Joshua Drake (<a href="https://twitter.com/jduck">@jduck</a>): CVE-2016-3861</li>
<li>Madhu Priya Murugan of CISPA, Saarland University: CVE-2016-3896</li>
<li>Makoto Onuki of Google: CVE-2016-3876</li>
<li>Mark Brand of Google Project Zero: CVE-2016-3861</li>
<li>Max Spector of Android Security: CVE-2016-3888</li>
<li>Max Spector and Quan To of Android Security: CVE-2016-3889</li>
<li>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>),
Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>),
and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3895</li>
<li>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>) of
Tesla Motors Product Security Team: Discovery of additional issues related to
CVE-2016-2446</li>
<li>Oleksiy Vyalov of Google: CVE-2016-3890</li>
<li>Oliver Chang of Google Chrome Security Team: CVE-2016-3880</li>
<li>Peng Xiao, Chengming Yang, Ning You, Chao Yang, and Yang song, of Alibaba
Mobile Security Group: CVE-2016-3859</li>
<li>Ronald L. Loor Vargas (<a href="https://twitter.com/loor_rlv">@loor_rlv</a>)
of TEAM Lv51: CVE-2016-3886</li>
<li>Sagi Kedmi, IBM Security X-Force Researcher: CVE-2016-3873</li>
<li><a href="mailto:sbauer@plzdonthack.me">Scott Bauer</a>
(<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): CVE-2016-3893,
CVE-2016-3868, CVE-2016-3867</li>
<li>Seven Shen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>) of
TrendMicro: CVE-2016-3894</li>
<li>Tim Strazzere (<a href="https://twitter.com/timstrazz">@timstrazz</a>) of
SentinelOne / RedNaga: CVE-2016-3862</li>
<li>trotmaster (<a href="https://twitter.com/trotmaster99">@trotmaster99</a>):
CVE-2016-3883</li>
<li>Victor Chang of Google: CVE-2016-3887</li>
<li>Vignesh Venkatasubramanian of Google: CVE-2016-3881</li>
<li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of
Alibaba Inc: CVE-2016-3878</li>
<li><a href="mailto:vancouverdou@gmail.com">Wenke Dou</a>, Mingjian Zhou
(<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu
(<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang
of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3870, CVE-2016-3871,
CVE-2016-3872</li>
<li>Wish Wu (<a href="http://weibo.com/wishlinux">吴潍浠</a>)
(<a href="https://twitter.com/wish_wu">@wish_wu</a>) of
<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/author/wishwu/">Trend
Micro Inc</a>.: CVE-2016-3892</li>
<li>Xingyu He (何星宇) (<a href="https://twitter.com/Spid3r_">@Spid3r_</a>)
of <a href="http://www.alibaba.com/">Alibaba Inc</a>: CVE-2016-3879</li>
<li>Yacong Gu of TCA Lab, Institute of Software, Chinese Academy of Sciences:
CVE-2016-3884</li>
<li><a href="http://yurushao.info">Yuru Shao</a> of University of Michigan Ann
Arbor: CVE-2016-3898</li>
</ul>
<h2 id="2016-09-01-details">2016-09-01 security patch level—Security vulnerability details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities listed in the
<a href="#2016-09-01-summary">2016-09-01 security patch level—Vulnerability
summary</a> above. There is a description of the issue, a severity rationale,
and a table with the CVE, associated references, severity, updated Nexus
devices, updated AOSP versions (where applicable), and date reported. When
available, we will link the public change that addressed the issue to the bug
ID, like the AOSP change list. When multiple changes relate to a single bug,
additional references are linked to numbers following the bug ID.
</p>
<h3>Remote code execution vulnerability in LibUtils</h3>
<p>
A remote code execution vulnerability in LibUtils could enable an attacker using
a specially crafted file to execute arbitrary code in the context of a
privileged process. This issue is rated as Critical due to the possibility of
remote code execution in applications that use this library.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3861</td>
<td><a href="https://android.googlesource.com/platform/system/core/+/ecf5fd58a8f50362ce9e8d4245a33d56f29f142b">
A-29250543</a>
[<a href="https://android.googlesource.com/platform/frameworks/av/+/3944c65637dfed14a5a895685edfa4bacaf9f76e">2</a>]
[<a href="https://android.googlesource.com/platform/frameworks/base/+/866dc26ad4a98cc835d075b627326e7d7e52ffa1">3</a>]
[<a href="https://android.googlesource.com/platform/frameworks/native/+/1f4b49e64adf4623eefda503bca61e253597b9bf">4</a>]
</td>
<td>Critical</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 9, 2016</td>
</tr>
</table>
<h3>Remote code execution vulnerability in Mediaserver</h3>
<p>
A remote code execution vulnerability in Mediaserver could enable an attacker
using a specially crafted file to cause memory corruption during media file and
data processing. This issue is rated as Critical due to the possibility of
remote code execution within the context of the Mediaserver process.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3862</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/e739d9ca5469ed30129d0fa228e3d0f2878671ac">
A-29270469</a></td>
<td>Critical</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
<td>Jun 10, 2016</td>
</tr>
</table>
<h3>Remote code execution vulnerability in MediaMuxer</h3>
<p>
A remote code execution vulnerability in MediaMuxer could enable an attacker
using a specially crafted file to execute arbitrary code in the context of an
unprivileged process. This issue is rated as High due to the possibility of
remote code execution in an application that uses MediaMuxer.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3863</td>
<td><a href="https://android.googlesource.com/platform/frameworks/av/+/119a012b2a9a186655da4bef3ed4ed8dd9b94c26">
A-29161888</a></td>
<td>High</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 6, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Mediaserver</h3>
<p>
An elevation of privilege vulnerability in Mediaserver could enable a local
malicious application to execute arbitrary code within the context of a
privileged process. This issue is rated as High because it could be used to gain
local access to elevated capabilities, which are not normally accessible to a
third-party application.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3870</td>
<td><a href="https://android.googlesource.com/platform/frameworks/av/+/1e9801783770917728b7edbdeff3d0ec09c621ac">
A-29421804</a>
<td>High</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 15, 2016</td>
</tr>
<tr>
<td>CVE-2016-3871</td>
<td><a href="https://android.googlesource.com/platform/frameworks/av/+/c2639afac631f5c1ffddf70ee8a6fe943d0bedf9">
A-29422022</a>
[<a href="https://android.googlesource.com/platform/frameworks/av/+/3c4edac2a5b00dec6c8579a0ee658cfb3bb16d94">2</a>]
[<a href="https://android.googlesource.com/platform/frameworks/av/+/c17ad2f0c7e00fd1bbf01d0dfed41f72d78267ad">3</a>]
</td>
<td>High</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 15, 2016</td>
</tr>
<tr>
<td>CVE-2016-3872</td>
<td><a href="https://android.googlesource.com/platform/frameworks/av/+/630ed150f7201ddadb00b8b8ce0c55c4cc6e8742">
A-29421675</a>
[<a href="https://android.googlesource.com/platform/frameworks/av/+/9f9ba255a0c59544f3555c9c45512c3a2fac5fad">2</a>]
</td>
<td>High</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 15, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in device boot</h3>
<p>
An elevation of privilege during the boot sequence could enable a local
malicious attacker to boot into safe mode even though it's disabled. This issue
is rated as High because it is a local bypass of user interaction requirements
for any developer or security settings modifications.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3875</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/69729fa8b13cadbf3173fe1f389fe4f3b7bd0f9c">
A-26251884</a></td>
<td>High</td>
<td>None*</td>
<td>6.0, 6.0.1</td>
<td>Google internal</td>
</tr>
</table>
<p>
* Supported Nexus devices on Android 7.0 that have installed all available
updates are not affected by this vulnerability.
</p>
<h3>Elevation of privilege vulnerability in Settings</h3>
<p>
An elevation of privilege in Settings could enable a local malicious attacker to
boot into safe mode even though it's disabled. This issue is rated as High
because it is a local bypass of user interaction requirements for any developer
or security settings modifications.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3876</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/91fc934bb2e5ea59929bb2f574de6db9b5100745">
A-29900345</a></td>
<td>High</td>
<td>All Nexus</td>
<td>6.0, 6.0.1, 7.0</td>
<td>Google internal</td>
</tr>
</table>
<h3>Denial of service vulnerability in Mediaserver</h3>
<p>
A denial of service vulnerability in Mediaserver could enable an attacker to use
a specially crafted file to cause a device hang or reboot. This issue is rated
as High due to the possibility of remote denial of service.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3899</td>
<td><a href="https://android.googlesource.com/platform/frameworks/av/+/97837bb6cbac21ea679843a0037779d3834bed64">
A-29421811</a></td>
<td>High</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 16, 2016</td>
</tr>
<tr>
<td>CVE-2016-3878</td>
<td><a href="https://android.googlesource.com/platform/external/libavc/+/7109ce3f8f90a28ca9f0ee6e14f6ac5e414c62cf">
A-29493002</a></td>
<td>High</td>
<td>All Nexus*</td>
<td>6.0, 6.0.1</td>
<td>Jun 17, 2016</td>
</tr>
<tr>
<td>CVE-2016-3879</td>
<td><a href="https://android.googlesource.com/platform/external/sonivox/+/cadfb7a3c96d4fef06656cf37143e1b3e62cae86">
A-29770686</a></td>
<td>High</td>
<td>All Nexus*</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
<td>Jun 25, 2016</td>
</tr>
<tr>
<td>CVE-2016-3880</td>
<td><a href="https://android.googlesource.com/platform/frameworks/av/+/68f67ef6cf1f41e77337be3bc4bff91f3a3c6324">
A-25747670</a></td>
<td>High</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Google internal</td>
</tr>
<tr>
<td>CVE-2016-3881</td>
<td><a href="https://android.googlesource.com/platform/external/libvpx/+/4974dcbd0289a2530df2ee2a25b5f92775df80da">
A-30013856</a></td>
<td>High</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Google internal</td>
</tr>
</table>
<p>
* Supported Nexus devices on Android 7.0 that have installed all available
updates are not affected by this vulnerability.
</p>
<h3>Elevation of privilege vulnerability in Telephony</h3>
<p>
An elevation of privilege vulnerability in the Telephony component could enable
a local malicious application to send unauthorized premium SMS messages. This
issue is rated as Moderate because it could be used to gain elevated
capabilities without explicit user permission.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3883</td>
<td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b2c89e6f8962dc7aff88cb38aa3ee67d751edda9">
A-28557603</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>May 3, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Notification Manager Service</h3>
<p>
An elevation of privilege vulnerability in the Notification Manager Service
could enable a local malicious application to bypass operating system
protections that isolate application data from other applications. This issue is
rated as Moderate because it is a local bypass of user interaction requirements,
such as access to functionality that would normally require either user
initiation or user permission.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3884</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/61e9103b5725965568e46657f4781dd8f2e5b623">
A-29421441</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>6.0, 6.0.1, 7.0</td>
<td>Jun 15, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Debuggerd</h3>
<p>
An elevation of privilege vulnerability in the integrated Android debugger could
enable a local malicious application to execute arbitrary code within the
context of the Android debugger. This issue is rated as Moderate severity due to
the possibility of local arbitrary code execution in a privileged process.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3885</td>
<td><a href="https://android.googlesource.com/platform/system/core/+/d7603583f90c2bc6074a4ee2886bd28082d7c65b">
A-29555636</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 21, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in System UI Tuner</h3>
<p>
An elevation of privilege in the System UI Tuner could enable a local malicious
user to modify protected settings when a device is locked. This issue is rated
as Moderate because it is a local bypass of user permissions.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3886</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/6ca6cd5a50311d58a1b7bf8fbef3f9aa29eadcd5">
A-30107438</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>7.0</td>
<td>Jun 23, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Settings</h3>
<p>
An elevation of privilege vulnerability in Settings could enable a local
malicious application to bypass operating system protections for VPN settings.
This issue is rated as Moderate because it could be used to gain access to data
that is outside of the application’s permission levels.
</p>
<table>
<col width="18%">
<col width="17%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="18%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3887</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/335702d106797bce8a88044783fa1fc1d5f751d0">
A-29899712</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>7.0</td>
<td>Google internal</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in SMS</h3>
<p>
An elevation of privilege vulnerability in SMS could enable a local attacker to
send premium SMS messages prior to the device being provisioned. This is rated
as Moderate due to the possibility of bypassing Factory Reset Protection, which
should prevent the device from being used before it is set up.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3888</td>
<td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b8d1aee993dcc565e6576b2f2439a8f5a507cff6">
A-29420123</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Google internal</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Settings</h3>
<p>
An elevation of privilege vulnerability in Settings could enable a local
attacker to bypass the Factory Reset Protection and gain access to the device.
This is rated as Moderate due to the possibility of bypassing Factory Reset
Protection, which could lead to successfully resetting the device and erasing
all its data.
</p>
<table>
<col width="18%">
<col width="17%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="18%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3889</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/e206f02d46ae5e38c74d138b51f6e1637e261abe">
A-29194585</a>
[<a href="https://android.googlesource.com/platform/packages/apps/Settings/+/bd5d5176c74021e8cf4970f93f273ba3023c3d72">2</a>]
</td>
<td>Moderate</td>
<td>All Nexus</td>
<td>6.0, 6.0.1, 7.0</td>
<td>Google internal</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Java Debug Wire Protocol</h3>
<p>
An elevation of privilege vulnerability in the Java Debug Wire Protocol could
enable a local malicious application to execute arbitrary code within the
context of an elevated system application. This issue is rated as Moderate
because it requires an uncommon device configuration.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="18%">
<col width="18%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3890</td>
<td><a href="https://android.googlesource.com/platform/system/core/+/268068f25673242d1d5130d96202d3288c91b700">
A-28347842</a>
[<a href="https://android.googlesource.com/platform/system/core/+/014b01706cc64dc9c2ad94a96f62e07c058d0b5d">2</a>]
</td>
<td>Moderate</td>
<td>None*</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
<td>Google internal</td>
</tr>
</table>
<p>
* Supported Nexus devices on Android 7.0 that have installed all available
updates are not affected by this vulnerability.
</p>
<h3>Information disclosure vulnerability in Mediaserver</h3>
<p>
An information disclosure vulnerability in Mediaserver could enable a local
malicious application to access data outside of its permission levels. This
issue is rated as Moderate because it could be used to access sensitive data
without permission.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3895</td>
<td><a href="https://android.googlesource.com/platform/frameworks/native/+/363247929c35104b3e5ee9e637e9dcf579080aee">
A-29983260</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>6.0, 6.0.1, 7.0</td>
<td>Jul 4, 2016</td>
</tr>
</table>
<h3>Information disclosure vulnerability in AOSP Mail</h3>
<p>
An information disclosure vulnerability in AOSP Mail could enable a local
malicious application to gain access to user’s private information. This issue
is rated as Moderate because it could be used to improperly access data without
permission.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3896</td>
<td><a href="https://android.googlesource.com/platform/packages/apps/Email/+/cb2dfe43f25cb0c32cc73aa4569c0a5186a4ef43">
A-29767043</a></td>
<td>Moderate</td>
<td>None*</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
<td>Jul 24, 2016</td>
</tr>
</table>
<p>
* Supported Nexus devices on Android 7.0 that have installed all available
updates are not affected by this vulnerability.
</p>
<h3>Information disclosure vulnerability in Wi-Fi</h3>
<p>
An information disclosure vulnerability in the Wi-Fi configuration could allow
an application to access sensitive information. This issue is rated as Moderate
because it could be used to access data without permission.
</p>
<table>
<col width="18%">
<col width="16%">
<col width="10%">
<col width="19%">
<col width="19%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3897</td>
<td><a href="https://android.googlesource.com/platform/frameworks/base/+/55271d454881b67ff38485fdd97598c542cc2d55">
A-25624963</a>
[<a href="https://android.googlesource.com/platform/frameworks/base/+/81be4e3aac55305cbb5c9d523cf5c96c66604b39">2</a>]
</td>
<td>Moderate</td>
<td>None*</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
<td>Nov 5, 2015</td>
</tr>
</table>
<p>
* Supported Nexus devices on Android 7.0 that have installed all available
updates are not affected by this vulnerability.
</p>
<h3>Denial of service vulnerability in Telephony</h3>
<p>
A denial of service vulnerability in the Telephony component could enable a
local malicious application to prevent 911 TTY calls from a locked screen. This
issue is rated as Moderate due to the possibility of a denial of service on a
critical function.
</p>
<table>
<col width="18%">
<col width="18%">
<col width="10%">
<col width="19%">
<col width="17%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Updated AOSP versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3898</td>
<td><a href="https://android.googlesource.com/platform/packages/services/Telephony/+/d1d248d10cf03498efb7041f1a8c9c467482a19d">
A-29832693</a></td>
<td>Moderate</td>
<td>All Nexus</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
<td>Jun 28, 2016</td>
</tr>
</table>
<h2 id="2016-09-05-details">2016-09-05 security patch level—Vulnerability details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities listed in the
<a href="#2016-09-05-summary">2016-09-05 security patch level—Vulnerability
summary</a> above. There is a description of the issue, a severity rationale,
and a table with the CVE, associated references, severity, updated Nexus
devices, updated AOSP versions (where applicable), and date reported. When
available, we will link the public change that addressed the issue to the bug
ID, like the AOSP change list. When multiple changes relate to a single bug,
additional references are linked to numbers following the bug ID.
</p>
<h3>Elevation of privilege vulnerability in kernel security subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel security subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility of
a local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2014-9529</td>
<td>A-29510361
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a3a8784454692dd72e5d5d34dcdab17b4420e74c">Upstream
kernel</a></p></td>
<td>Critical</td>
<td>Nexus 5, Nexus 6, Nexus 9, Nexus Player, Android One</td>
<td>Jan 6, 2015</td>
</tr>
<tr>
<td>CVE-2016-4470</td>
<td>A-29823941
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229a">Upstream
kernel</a></p></td>
<td>Critical</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player</td>
<td>June 15, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in kernel networking subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel networking subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility of
a local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2013-7446</td>
<td>A-29119002
<p>
<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c">Upstream
kernel</a></p></td>
<td>Critical</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
Android One</td>
<td>Nov 18, 2015</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in kernel netfilter subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel netfilter subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility of
a local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3134</td>
<td>A-28940694
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d83fc74aa9ec72794373cb47432c5f7fb1a309">Upstream
kernel</a></p></td>
<td>Critical</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
Android One</td>
<td>Mar 9, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in kernel USB driver</h3>
<p>
An elevation of privilege vulnerability in the kernel USB driver could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as Critical due to the possibility of a local
permanent device compromise, which may require reflashing the operating system
to repair the device.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3951</td>
<td>A-28744625
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d06dd537f95683aba3651098ae288b7cbff8274">Upstream kernel</a>
[<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1666984c8625b3db19a9abc298931d35ab7bc64b">2</a>]</p></td>
<td>Critical</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
Android One</td>
<td>Apr 6, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in kernel sound subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel sound subsystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2014-4655</td>
<td>A-29916012
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=82262a46627bebb0febcc26664746c25cef08563">Upstream
kernel</a></p></td>
<td>High</td>
<td>Nexus 5, Nexus 6, Nexus 9, Nexus Player</td>
<td>Jun 26, 2014</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in kernel ASN.1 decoder</h3>
<p>
An elevation of privilege vulnerability in the kernel ASN.1 decoder could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as High because it first requires compromising a
privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-2053</td>
<td>A-28751627
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f">Upstream
kernel</a></p></td>
<td>High</td>
<td>Nexus 5X, Nexus 6P</td>
<td>Jan 25, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Qualcomm radio interface layer</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm radio interface layer
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="18%">
<col width="10%">
<col width="25%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3864</td>
<td>A-28823714*<br>
QC-CR#913117</td>
<td>High</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td>
<td>Apr 29, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in Qualcomm subsystem driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm subsystem driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3858</td>
<td>A-28675151<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0c148b9a9028c566eac680f19e5d664b483cdee3">QC-CR#1022641</a></td>
<td>High</td>
<td>Nexus 5X, Nexus 6P</td>
<td>May 9, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in kernel networking driver</h3>
<p>
An elevation of privilege vulnerability in the kernel networking driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-4805</td>
<td>A-28979703
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1f461dcdd296eecedaffffc6bae2bfa90bd7eb89">Upstream
kernel</a></p></td>
<td>High</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9</td>
<td>May 15, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Synaptics touchscreen driver</h3>
<p>
An elevation of privilege vulnerability in the Synaptics touchscreen driver
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3865</td>
<td>A-28799389*</td>
<td>High</td>
<td>Nexus 5X, Nexus 9</td>
<td>May 16, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in Qualcomm camera driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm camera driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3859</td>
<td>A-28815326*<br>
QC-CR#1034641</td>
<td>High</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td>
<td>May 17, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in Qualcomm sound driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm sound driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3866</td>
<td>A-28868303*<br>
QC-CR#1032820</td>
<td>High</td>
<td>Nexus 5X, Nexus 6, Nexus 6P</td>
<td>May 18, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in Qualcomm IPA driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm IPA driver could enable
a local malicious application to execute arbitrary code within the context of
the kernel. This issue is rated as High because it first requires compromising a
privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3867</td>
<td>A-28919863*<br>
QC-CR#1037897</td>
<td>High</td>
<td>Nexus 5X, Nexus 6P</td>
<td>May 21, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in Qualcomm power driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm power driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3868</td>
<td>A-28967028*<br>
QC-CR#1032875</td>
<td>High</td>
<td>Nexus 5X, Nexus 6P</td>
<td>May 25, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in Broadcom Wi-Fi driver</h3>
<p>
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3869</td>
<td>A-29009982*<br>
B-RB#96070</td>
<td>High</td>
<td>Nexus 5, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C</td>
<td>May 27, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in kernel eCryptfs filesystem</h3>
<p>
An elevation of privilege vulnerability in the kernel eCryptfs filesystem could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="17%">
<col width="22%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-1583</td>
<td>A-29444228<br>
<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9">Upstream kernel</a>
[<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87">2</a>]
[<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29d6455178a09e1dc340380c582b13356227e8df">3</a>]</td>
<td>High</td>
<td>Pixel C</td>
<td>Jun 1, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in NVIDIA kernel</h3>
<p>
An elevation of privilege vulnerability in the NVIDIA kernel could enable a
local malicious application to execute arbitrary code within the context of the
kernel. This issue is rated as High severity because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3873</td>
<td>A-29518457*<br>
N-CVE-2016-3873</td>
<td>High</td>
<td>Nexus 9</td>
<td>Jun 20, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could
enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3874</td>
<td>A-29944562<br>
<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=50e8f265b3f7926aeb4e49c33f7301ace89faa77">QC-CR#997797</a>
[<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a3974e61c960aadcc147c3c5704a67309171642d">2</a>]</td>
<td>High</td>
<td>Nexus 5X</td>
<td>Jul 1, 2016</td>
</tr>
</table>
<h3>Denial of service vulnerability in kernel networking subsystem</h3>
<p>
A denial of service vulnerability in the kernel networking subsystem could
enable an attacker to cause a device hang or reboot. This issue is rated as High
due to the possibility of a temporary remote denial of service.
</p>
<table>
<col width="19%">
<col width="18%">
<col width="10%">
<col width="25%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2015-1465</td>
<td>A-29506807
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0">Upstream
kernel</a></p></td>
<td>High</td>
<td>Nexus 5, Nexus 6, Nexus 9, Nexus Player, Pixel C, Android One</td>
<td>Feb 3, 2015</td>
</tr>
<tr>
<td>CVE-2015-5364</td>
<td>A-29507402
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0">Upstream
kernel</a></p></td>
<td>High</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
Android One</td>
<td>Jun 30, 2015</td>
</tr>
</table>
<h3>Denial of service vulnerability in kernel ext4 file system</h3>
<p>
A denial of service vulnerability in the kernel ext4 file system could enable an
attacker to cause a local permanent denial of service, which may require
reflashing the operating system to repair the device. This issue is rated as
High due to the possibility of local permanent denial of service.
</p>
<table>
<col width="19%">
<col width="16%">
<col width="10%">
<col width="27%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2015-8839</td>
<td>A-28760453*</td>
<td>High</td>
<td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, Android One</td>
<td>Apr 4, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Information disclosure vulnerability in Qualcomm SPMI driver</h3>
<p>
An information disclosure vulnerability in the Qualcomm SPMI driver could enable
a local malicious application to access data outside of its permission levels.
This issue is rated as Moderate because it first requires compromising a
privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3892</td>
<td>A-28760543*<br>
QC-CR#1024197</td>
<td>Moderate</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td>
<td>May 13, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Information disclosure vulnerability in Qualcomm sound codec</h3>
<p>
An information disclosure vulnerability in the Qualcomm sound codec could enable
a local malicious application to access data outside of its permission levels.
This issue is rated as Moderate because it first requires compromising a
privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3893</td>
<td>A-29512527<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=a7a6ddc91cce7ad5ad55c9709b24bfc80f5ac873">QC-CR#856400</a></td>
<td>Moderate</td>
<td>Nexus 6P</td>
<td>Jun 20, 2016</td>
</tr>
</table>
<h3>Information disclosure vulnerability in Qualcomm DMA component</h3>
<p>
An information disclosure vulnerability in the Qualcomm DMA component could
enable a local malicious application to access data outside of its permission
levels. This issue is rated as Moderate because it first requires compromising a
privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-3894</td>
<td>A-29618014*<br>
QC-CR#1042033</td>
<td>Moderate</td>
<td>Nexus 6</td>
<td>Jun 23, 2016</td>
</tr>
</table>
<p>
* The patch for this issue is not publicly available. The update is contained in
the latest binary drivers for Nexus devices available from the
<a href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.
</p>
<h3>Information disclosure vulnerability in kernel networking subsystem</h3>
<p>
An information disclosure vulnerability in the kernel networking subsystem could
enable a local malicious application to access data outside of its permission
levels. This issue is rated as Moderate because it first requires compromising a
privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-4998</td>
<td>A-29637687<br>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968e9686df777dc178486f600c6e617">Upstream kernel</a>
[<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91">2</a>]</td>
<td>Moderate</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
Android One</td>
<td>Jun 24, 2016</td>
</tr>
</table>
<h3>Denial of service vulnerability in kernel networking subsystem</h3>
<p>
A denial of service vulnerability in the kernel networking subsystem could
enable an attacker to block access to Wi-Fi capabilities.This issue is rated as
Moderate due to the possibility of a temporary remote denial of service of the
Wi-Fi capabilities.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2015-2922</td>
<td>A-29409847
<p>
<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a">Upstream
kernel</a></p></td>
<td>Moderate</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
Android One</td>
<td>Apr 4, 2015</td>
</tr>
</table>
<h3>Vulnerabilities in Qualcomm components</h3>
<p>
The table below contains security vulnerabilities affecting Qualcomm components,
potentially including the bootloader, camera driver, character driver,
networking, sound driver, and video driver.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-2469</td>
<td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e">QC-CR#997025</a></td>
<td>High</td>
<td>None</td>
<td>Jun 2016</td>
</tr>
<tr>
<td>CVE-2016-2469</td>
<td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=e7369163162e7773bc887f7a264d6aa46cfcc665">QC-CR#997015</a></td>
<td>Moderate</td>
<td>None</td>
<td>Jun 2016</td>
</tr>
</table>
<h2 id="2016-09-06-details">2016-09-06 security patch level—Vulnerability details</h2>
<p>
In the sections below, we provide details for each of the security
vulnerabilities listed in the
<a href="#2016-09-06-summary">2016-09-06 security patch level—Vulnerability
summary</a> above. There is a description of the issue, a severity rationale,
and a table with the CVE, associated references, severity, updated Nexus
devices, updated AOSP versions (where applicable), and date reported. When
available, we will link the public change that addressed the issue to the bug
ID, like the AOSP change list. When multiple changes relate to a single bug,
additional references are linked to numbers following the bug ID.
</p>
<h3>Elevation of privilege vulnerability in kernel shared memory subsystem</h3>
<p>
An elevation of privilege vulnerability in the kernel shared memory subsystem
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as Critical due to the possibility of
a local permanent device compromise, which may require reflashing the operating
system to repair the device.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-5340</td>
<td>A-30652312<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6">QC-CR#1008948</a></td>
<td>Critical</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td>
<td>Jul 26, 2016</td>
</tr>
</table>
<h3>Elevation of privilege vulnerability in Qualcomm networking component</h3>
<p>
An elevation of privilege vulnerability in the Qualcomm networking component
could enable a local malicious application to execute arbitrary code within the
context of the kernel. This issue is rated as High because it first requires
compromising a privileged process.
</p>
<table>
<col width="19%">
<col width="20%">
<col width="10%">
<col width="23%">
<col width="17%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Severity</th>
<th>Updated Nexus devices</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-2059</td>
<td>A-27045580<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9e8bdd63f7011dff5523ea435433834b3702398d">QC-CR#974577</a></td>
<td>High</td>
<td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td>
<td>Feb 4, 2016</td>
</tr>
</table>
<h2 id="common-questions-and-answers">Common Questions and Answers</h2>
<p>
This section answers common questions that may occur after reading this
bulletin.
</p>
<p>
<strong>1. How do I determine if my device is updated to address these issues?
</strong>
</p>
<p>
Security Patch Levels of 2016-09-01 or later address all issues associated with
the 2016-09-01 security patch string level. Security Patch Levels of 2016-09-05
or later address all issues associated with the 2016-09-05 security patch string
level. Security Patch Levels of 2016-09-06 or later address all issues
associated with the 2016-09-06 security patch string level. Refer to the
<a href="https://support.google.com/nexus/answer/4457705">help center</a> for
instructions on how to check the security patch level. Device manufacturers that
include these updates should set the patch string level to:
[ro.build.version.security_patch]:[2016-09-01],
[ro.build.version.security_patch]:[2016-09-05], or
[ro.build.version.security_patch]:[2016-09-06].
</p>
<p>
<strong>2. Why does this bulletin have three security patch level
strings?</strong>
</p>
<p>
This bulletin has three security patch level strings so that Android partners
have the flexibility to fix a subset of vulnerabilities that are similar across
all Android devices more quickly. Android partners are encouraged to fix all
issues in this bulletin and use the latest security patch level string.
</p>
<p>
Devices that use the September 6, 2016 security patch level or newer must
include all applicable patches in this (and previous) security bulletins. This
patch level was created to addresses issues that were discovered after partners
were first notified of most issues in this bulletin.
</p>
<p>
Devices that use September 5, 2016 security patch level must include all issues
associated with that security patch level, the September 1, 2016 security patch
level and fixes for all issues reported in previous security bulletins. Devices
that use the September 5, 2016 security patch level may also include a subset of
fixes associated with the September 6, 2016 security patch level.
</p>
<p>
Devices that use September 1, 2016 security patch level must include all issues
associated with that security patch level as well as fixes for all issues
reported in previous security bulletins. Devices that use the September 1, 2016
security patch level may also include a subset of fixes associated with the
September 5, 2016 and September 6, 2016 security patch levels.
</p>
<p>
3<strong>. How do I determine which Nexus devices are affected by each
issue?</strong>
</p>
<p>
In the
<a href="#2016-09-01-details">2016-09-01</a>,
<a href="#2016-09-05-details">2016-09-05</a>, and
<a href="#2016-09-06-details">2016-09-06</a> security vulnerability details
sections, each table has an <em>Updated Nexus devices</em> column that covers
the range of affected Nexus devices updated for each issue. This column has a
few options:
</p>
<ul>
<li><strong>All Nexus devices</strong>: If an issue affects all Nexus devices,
the table will have “All Nexus” in the <em>Updated Nexus devices</em> column.
“All Nexus” encapsulates the following
<a href="https://support.google.com/nexus/answer/4457705#nexus_devices">supported
devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9,
Android One, Nexus Player, and Pixel C.</li>
<li><strong>Some Nexus devices</strong>: If an issue doesn’t affect all Nexus
devices, the affected Nexus devices are listed in the <em>Updated Nexus
devices</em> column.</li>
<li><strong>No Nexus devices</strong>: If no Nexus devices running Android 7.0
are affected by the issue, the table will have “None” in the <em>Updated Nexus
devices</em> column.</li>
</ul>
<p>
<strong>4. What do the entries in the references column map to?</strong>
</p>
<p>
Entries under the <em>References</em> column of the vulnerability details table
may contain a prefix identifying the organization to which the reference value
belongs. These prefixes map as follows:
</p>
<table>
<tr>
<th>Prefix</th>
<th>Reference</th>
</tr>
<tr>
<td>A-</td>
<td>Android bug ID</td>
</tr>
<tr>
<td>QC-</td>
<td>Qualcomm reference number</td>
</tr>
<tr>
<td>M-</td>
<td>MediaTek reference number</td>
</tr>
<tr>
<td>N-</td>
<td>NVIDIA reference number</td>
</tr>
<tr>
<td>B-</td>
<td>Broadcom reference number</td>
</tr>
</table>
<h2 id="revisions">Revisions</h2>
<ul>
<li>September 06, 2016: Bulletin published.</li>
<li>September 07, 2016: Bulletin revised to include AOSP links.</li>
<li>September 12, 2016: Bulletin revised to update attribution for
CVE-2016-3861 and remove CVE-2016-3877.</li>
</ul>