Docs: September 2016 Security bulletin
Bug: 30915237
Change-Id: I0866814c6c65be162c283844b23295b322136396
diff --git a/src/security/bulletin/2016-09-01.jd b/src/security/bulletin/2016-09-01.jd
new file mode 100644
index 0000000..4be3d95
--- /dev/null
+++ b/src/security/bulletin/2016-09-01.jd
@@ -0,0 +1,2353 @@
+page.title=Android Security Bulletin—September 2016
+@jd:body
+
+<!--
+ Copyright 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<p><em>Published September 06, 2016</em>
+</p>
+
+<p>
+The Android Security Bulletin contains details of security vulnerabilities
+affecting Android devices. Alongside the bulletin, we have released a security
+update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware
+images have also been released to the
+<a href="https://developers.google.com/android/nexus/images">Google Developer
+site</a>. Security Patch Levels of September 06, 2016 or later address these
+issues. Refer to the
+<a href="https://support.google.com/nexus/answer/4457705#nexus_devices">documentation</a>
+to learn how to check the security patch level. Supported Nexus devices will
+receive a single OTA update with the September 06, 2016 security patch level.
+</p>
+
+<p>
+Partners were notified about the issues described in the bulletin on August 05,
+2016 or earlier. Where applicable, source code patches for these issues will be
+released to the Android Open Source Project (AOSP) repository in the next 48
+hours. We will revise this bulletin with the AOSP links when they are available.
+</p>
+
+<p>
+The most severe of these issues is a Critical security vulnerability that could
+enable remote code execution on an affected device through multiple methods such
+as email, web browsing, and MMS when processing media files.
+</p>
+
+<p>
+We have had no reports of active customer exploitation or abuse of these newly
+reported issues. Refer to the
+<a href="#mitigations">Android and Google service mitigations</a>
+section for details on the <a href="{@docRoot}security/enhancements/index.html">Android
+security platform protections</a> and service protections such as SafetyNet,
+which improve the security of the Android platform.
+</p>
+
+<p>
+We encourage all customers to accept these updates to their devices.
+</p>
+
+<h2 id="announcements">Announcements</h2>
+<ul>
+<li>This bulletin has three security patch level strings to provide Android
+partners with the flexibility to move more quickly to fix a subset of
+vulnerabilities that are similar across all Android devices. See
+<a href="#common-questions-and-answers">Common questions and answers</a> for
+additional information:
+<ul>
+ <li><strong>2016-09-01</strong>: Partial security patch level string. This
+security patch level string indicates that all issues associated with 2016-09-01
+(and all previous security patch level strings) are addressed.
+ <li><strong>2016-09-05</strong>: Partial security patch level string. This
+security patch level string indicates that all issues associated with 2016-09-01
+and 2016-09-05 (and all previous security patch level strings) are addressed.
+ <li><strong>2016-09-06</strong>: Complete security patch level string, which
+addresses issues that were discovered after partners were notified of most
+issues in this bulletin. This security patch level string indicates that all
+issues associated with 2016-09-01, 2016-09-05, and 2016-09-06 (and all previous
+security patch level strings) are addressed.
+<li>Supported Nexus devices will receive a single OTA update with the September
+06, 2016 security patch level.</li>
+</ul>
+</li>
+</ul>
+<h2>Security vulnerability summary</h2>
+<p>
+The tables below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not
+Nexus devices are affected. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity
+assessment</a> is based on the effect that exploiting the vulnerability would
+possibly have on an affected device, assuming the platform and service
+mitigations are disabled for development purposes or if successfully bypassed.
+</p>
+
+<h3 id="2016-09-01-summary">2016-09-01 security patch level—Vulnerability summary</h3>
+<p>
+Security patch levels of 2016-09-01 or later must address the following issues.
+</p>
+
+<table>
+ <col width="55%">
+ <col width="20%">
+ <col width="13%">
+ <col width="12%">
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ <th>Affects Nexus?</th>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in LibUtils</td>
+ <td>CVE-2016-3861</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Mediaserver</td>
+ <td>CVE-2016-3862</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in MediaMuxer</td>
+ <td>CVE-2016-3863</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Mediaserver</td>
+ <td>CVE-2016-3870, CVE-2016-3871, CVE-2016-3872</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in device boot</td>
+ <td>CVE-2016-3875</td>
+ <td>High</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Settings</td>
+ <td>CVE-2016-3876</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in Mediaserver</td>
+ <td>CVE-2016-3899, CVE-2016-3878,
+ CVE-2016-3879, CVE-2016-3880, CVE-2016-3881</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Telephony</td>
+ <td>CVE-2016-3883</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Notification Manager Service</td>
+ <td>CVE-2016-3884</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Debuggerd</td>
+ <td>CVE-2016-3885</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in System UI Tuner</td>
+ <td>CVE-2016-3886</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Settings</td>
+ <td>CVE-2016-3887</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in SMS</td>
+ <td>CVE-2016-3888</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Settings</td>
+ <td>CVE-2016-3889</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Java Debug Wire Protocol</td>
+ <td>CVE-2016-3890</td>
+ <td>Moderate</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Mediaserver</td>
+ <td>CVE-2016-3895</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in AOSP Mail</td>
+ <td>CVE-2016-3896</td>
+ <td>Moderate</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Wi-Fi</td>
+ <td>CVE-2016-3897</td>
+ <td>Moderate</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in Telephony</td>
+ <td>CVE-2016-3898</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+</table>
+<p>
+* Supported Nexus devices on Android 7.0 that have installed all available
+updates are not affected by this vulnerability.
+</p>
+
+<h3 id="2016-09-05-summary">2016-09-05 security patch level—Vulnerability summary</h3>
+<p>
+Security patch levels of 2016-09-05 or later must address all of the 2016-09-01
+issues as well as the following issues.
+</p>
+
+<table>
+ <col width="55%">
+ <col width="20%">
+ <col width="13%">
+ <col width="12%">
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ <th>Affects Nexus?</th>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel security subsystem</td>
+ <td>CVE-2014-9529, CVE-2016-4470</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel networking subsystem</td>
+ <td>CVE-2013-7446</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel netfilter subsystem</td>
+ <td>CVE-2016-3134</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel USB driver</td>
+ <td>CVE-2016-3951</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel sound subsystem</td>
+ <td>CVE-2014-4655</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel ASN.1 decoder</td>
+ <td>CVE-2016-2053</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm radio interface layer</td>
+ <td>CVE-2016-3864</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm subsystem driver</td>
+ <td>CVE-2016-3858</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel networking driver</td>
+ <td>CVE-2016-4805</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Synaptics touchscreen driver</td>
+ <td>CVE-2016-3865</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm camera driver</td>
+ <td>CVE-2016-3859</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm sound driver</td>
+ <td>CVE-2016-3866</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm IPA driver</td>
+ <td>CVE-2016-3867</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm power driver</td>
+ <td>CVE-2016-3868</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Broadcom Wi-Fi driver</td>
+ <td>CVE-2016-3869</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel eCryptfs filesystem</td>
+ <td>CVE-2016-1583</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in NVIDIA kernel</td>
+ <td>CVE-2016-3873</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</td>
+ <td>CVE-2016-3874</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in kernel networking subsystem</td>
+ <td>CVE-2015-1465, CVE-2015-5364</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in kernel ext4 file system</td>
+ <td>CVE-2015-8839</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Qualcomm SPMI driver</td>
+ <td>CVE-2016-3892</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Qualcomm sound codec</td>
+ <td>CVE-2016-3893</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Qualcomm DMA component</td>
+ <td>CVE-2016-3894</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in kernel networking subsystem</td>
+ <td>CVE-2016-4998</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in kernel networking subsystem</td>
+ <td>CVE-2015-2922</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Vulnerabilities in Qualcomm components</td>
+ <td>CVE-2016-2469</td>
+ <td>High</td>
+ <td>No</td>
+ </tr>
+</table>
+<h3 id="2016-09-06-summary">2016-09-06 security patch level—Vulnerability summary</h3>
+<p>
+Security patch levels of 2016-09-06 or later must address all of the 2016-09-05
+issues and 2016-09-01 issues, as well as the following issues.
+</p>
+
+<table>
+ <col width="55%">
+ <col width="20%">
+ <col width="13%">
+ <col width="12%">
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ <th>Affects Nexus?</th>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel shared memory subsystem</td>
+ <td>CVE-2016-5340</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm networking component</td>
+ <td>CVE-2016-2059</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+</table>
+<h2 id="mitigations">Android and Google service mitigations</h2>
+<p>
+This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android
+security platform</a> and service protections such as SafetyNet. These
+capabilities reduce the likelihood that security vulnerabilities could be
+successfully exploited on Android.
+</p>
+<ul>
+<li>Exploitation for many issues on Android is made more difficult by
+enhancements in newer versions of the Android platform. We encourage all users
+to update to the latest version of Android where possible.</li>
+<li>The Android Security team actively monitors for abuse with
+<a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify
+Apps and SafetyNet</a>, which are designed to warn users about
+<a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially
+Harmful Applications</a>. Verify Apps is enabled by default on devices with
+<a href="http://www.android.com/gms">Google Mobile Services</a>, and is especially
+important for users who install applications from outside of Google Play. Device
+rooting tools are prohibited within Google Play, but Verify Apps warns users
+when they attempt to install a detected rooting application—no matter where it
+comes from. Additionally, Verify Apps attempts to identify and block
+installation of known malicious applications that exploit a privilege escalation
+vulnerability. If such an application has already been installed, Verify Apps
+will notify the user and attempt to remove the detected application.</li>
+<li>As appropriate, Google Hangouts and Messenger applications do not
+automatically pass media to processes such as Mediaserver.</li>
+</ul>
+
+<h2 id="acknowledgements">Acknowledgements</h2>
+<p>
+We would like to thank these researchers for their contributions:
+</p>
+
+
+<ul>
+<li>Cory Pruce of Carnegie Mellon University: CVE-2016-3897</li>
+<li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>)
+and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360
+Technology Co. Ltd.: CVE-2016-3869, CVE-2016-3865, CVE-2016-3866, CVE-2016-3867</li>
+<li>Hao Qin of Security Research Lab, <a href="http://www.cmcm.com">Cheetah
+Mobile</a>: CVE-2016-3863</li>
+<li>Jann Horn of Google Project Zero: CVE-2016-3885</li>
+<li>Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>)
+and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360: CVE-2016-3858</li>
+<li><a href="https://github.com/AndroidDeveloperLB/">Liran Barsisa</a> of
+<a href="https://sync.me/">Sync.Me</a>: CVE-2016-3877</li>
+<li>Madhu Priya Murugan of CISPA, Saarland University: CVE-2016-3896</li>
+<li>Makoto Onuki of Google: CVE-2016-3876</li>
+<li>Mark Brand of Google Project Zero: CVE-2016-3861</li>
+<li>Max Spector of Android Security: CVE-2016-3888</li>
+<li>Max Spector and Quan To of Android Security: CVE-2016-3889</li>
+<li>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>),
+Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>),
+and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3895</li>
+<li>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>) of
+Tesla Motors Product Security Team: Discovery of additional issues related to
+CVE-2016-2446</li>
+<li>Oleksiy Vyalov of Google: CVE-2016-3890</li>
+<li>Oliver Chang of Google Chrome Security Team: CVE-2016-3880</li>
+<li>Peng Xiao, Chengming Yang, Ning You, Chao Yang, and Yang song, of Alibaba
+Mobile Security Group: CVE-2016-3859</li>
+<li>Ronald L. Loor Vargas (<a href="https://twitter.com/loor_rlv">@loor_rlv</a>)
+of TEAM Lv51: CVE-2016-3886</li>
+<li>Sagi Kedmi, IBM Security X-Force Researcher: CVE-2016-3873</li>
+<li><a href="mailto:sbauer@plzdonthack.me">Scott Bauer</a>
+(<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): CVE-2016-3893,
+CVE-2016-3868, CVE-2016-3867</li>
+<li>Seven Shen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>) of
+TrendMicro: CVE-2016-3894</li>
+<li>Tim Strazzere (<a href="https://twitter.com/timstrazz">@timstrazz</a>) of
+SentinelOne / RedNaga: CVE-2016-3862</li>
+<li>trotmaster (<a href="https://twitter.com/trotmaster99">@trotmaster99</a>):
+CVE-2016-3883</li>
+<li>Victor Chang of Google: CVE-2016-3887</li>
+<li>Vignesh Venkatasubramanian of Google: CVE-2016-3881</li>
+<li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of
+Alibaba Inc: CVE-2016-3878</li>
+<li><a href="mailto:vancouverdou@gmail.com">Wenke Dou</a>, Mingjian Zhou
+(<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu
+(<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang
+of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-3870, CVE-2016-3871,
+CVE-2016-3872</li>
+<li>Wish Wu (<a href="http://weibo.com/wishlinux">吴潍浠</a>)
+(<a href="https://twitter.com/wish_wu">@wish_wu</a>) of
+<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/author/wishwu/">Trend
+Micro Inc</a>.: CVE-2016-3892</li>
+<li>Xingyu He (何星宇) (<a href="https://twitter.com/Spid3r_">@Spid3r_</a>)
+of <a href="http://www.alibaba.com/">Alibaba Inc</a>: CVE-2016-3879</li>
+<li>Yacong Gu of TCA Lab, Institute of Software, Chinese Academy of Sciences:
+CVE-2016-3884</li>
+<li><a href="http://yurushao.info">Yuru Shao</a> of University of Michigan Ann
+Arbor: CVE-2016-3898</li>
+</ul>
+
+<h2 id="2016-09-01-details">2016-09-01 security patch level—Security vulnerability details</h2>
+<p>
+In the sections below, we provide details for each of the security
+vulnerabilities listed in the
+<a href="#2016-09-01-summary">2016-09-01 security patch level—Vulnerability
+summary</a> above. There is a description of the issue, a severity rationale,
+and a table with the CVE, associated references, severity, updated Nexus
+devices, updated AOSP versions (where applicable), and date reported. When
+available, we will link the public change that addressed the issue to the bug
+ID, like the AOSP change list. When multiple changes relate to a single bug,
+additional references are linked to numbers following the bug ID.
+</p>
+
+<h3>Remote code execution vulnerability in LibUtils</h3>
+<p>
+A remote code execution vulnerability in LibUtils could enable an attacker using
+a specially crafted file to execute arbitrary code in the context of a
+privileged process. This issue is rated as Critical due to the possibility of
+remote code execution in applications that use this library.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3861</td>
+ <td>A-29250543</td>
+ <td>Critical</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 9, 2016</td>
+ </tr>
+</table>
+<h3>Remote code execution vulnerability in Mediaserver</h3>
+<p>
+A remote code execution vulnerability in Mediaserver could enable an attacker
+using a specially crafted file to cause memory corruption during media file and
+data processing. This issue is rated as Critical due to the possibility of
+remote code execution within the context of the Mediaserver process.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3862</td>
+ <td>A-29270469</td>
+ <td>Critical</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Jun 10, 2016</td>
+ </tr>
+</table>
+<h3>Remote code execution vulnerability in MediaMuxer</h3>
+<p>
+A remote code execution vulnerability in MediaMuxer could enable an attacker
+using a specially crafted file to execute arbitrary code in the context of an
+unprivileged process. This issue is rated as High due to the possibility of
+remote code execution in an application that uses MediaMuxer.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3863</td>
+ <td>A-29161888</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 6, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Mediaserver</h3>
+<p>
+An elevation of privilege vulnerability in Mediaserver could enable a local
+malicious application to execute arbitrary code within the context of a
+privileged process. This issue is rated as High because it could be used to gain
+local access to elevated capabilities, which are not normally accessible to a
+third-party application.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3870</td>
+ <td>A-29421804</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 15, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3871</td>
+ <td>A-29422022</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 15, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3872</td>
+ <td>A-29421675</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 15, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in device boot</h3>
+<p>
+An elevation of privilege during the boot sequence could enable a local
+malicious attacker to boot into safe mode even though it's disabled. This issue
+is rated as High because it is a local bypass of user interaction requirements
+for any developer or security settings modifications.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3875</td>
+ <td>A-26251884</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>6.0, 6.0.1</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* Supported Nexus devices on Android 7.0 that have installed all available
+updates are not affected by this vulnerability.
+</p>
+
+<h3>Elevation of privilege vulnerability in Settings</h3>
+<p>
+An elevation of privilege in Settings could enable a local malicious attacker to
+boot into safe mode even though it's disabled. This issue is rated as High
+because it is a local bypass of user interaction requirements for any developer
+or security settings modifications.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3876</td>
+ <td>A-29900345</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3>Denial of service vulnerability in Mediaserver</h3>
+<p>
+A denial of service vulnerability in Mediaserver could enable an attacker to use
+a specially crafted file to cause a device hang or reboot. This issue is rated
+as High due to the possibility of remote denial of service.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3899</td>
+ <td>A-29421811</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3878</td>
+ <td>A-29493002</td>
+ <td>High</td>
+ <td>All Nexus*</td>
+ <td>6.0, 6.0.1</td>
+ <td>Jun 17, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3879</td>
+ <td>A-29770686</td>
+ <td>High</td>
+ <td>All Nexus*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Jun 25, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3880</td>
+ <td>A-25747670</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Google internal</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3881</td>
+ <td>A-30013856</td>
+ <td>High</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* Supported Nexus devices on Android 7.0 that have installed all available
+updates are not affected by this vulnerability.
+</p>
+
+<h3>Elevation of privilege vulnerability in Telephony</h3>
+<p>
+An elevation of privilege vulnerability in the Telephony component could enable
+a local malicious application to send unauthorized premium SMS messages. This
+issue is rated as Moderate because it could be used to gain elevated
+capabilities without explicit user permission.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3883</td>
+ <td>A-28557603</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>May 3, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Notification Manager Service</h3>
+<p>
+An elevation of privilege vulnerability in the Notification Manager Service
+could enable a local malicious application to bypass operating system
+protections that isolate application data from other applications. This issue is
+rated as Moderate because it is a local bypass of user interaction requirements,
+such as access to functionality that would normally require either user
+initiation or user permission.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3884</td>
+ <td>A-29421441</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Jun 15, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Debuggerd</h3>
+<p>
+An elevation of privilege vulnerability in the integrated Android debugger could
+enable a local malicious application to execute arbitrary code within the
+context of the Android debugger. This issue is rated as Moderate severity due to
+the possibility of local arbitrary code execution in a privileged process.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3885</td>
+ <td>A-29555636</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 21, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in System UI Tuner</h3>
+<p>
+An elevation of privilege in the System UI Tuner could enable a local malicious
+user to modify protected settings when a device is locked. This issue is rated
+as Moderate because it is a local bypass of user permissions.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3886</td>
+ <td>A-30107438</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>7.0</td>
+ <td>Jun 23, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Settings</h3>
+<p>
+An elevation of privilege vulnerability in Settings could enable a local
+malicious application to bypass operating system protections for VPN settings.
+This issue is rated as Moderate because it could be used to gain access to data
+that is outside of the application’s permission levels.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="17%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="18%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3887</td>
+ <td>A-29899712</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in SMS</h3>
+<p>
+An elevation of privilege vulnerability in SMS could enable a local attacker to
+send premium SMS messages prior to the device being provisioned. This is rated
+as Moderate due to the possibility of bypassing Factory Reset Protection, which
+should prevent the device from being used before it is set up.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3888</td>
+ <td>A-29420123</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Settings</h3>
+<p>
+An elevation of privilege vulnerability in Settings could enable a local
+attacker to bypass the Factory Reset Protection and gain access to the device.
+This is rated as Moderate due to the possibility of bypassing Factory Reset
+Protection, which could lead to successfully resetting the device and erasing
+all its data.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="17%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="18%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3889</td>
+ <td>A-29194585</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Java Debug Wire Protocol</h3>
+<p>
+An elevation of privilege vulnerability in the Java Debug Wire Protocol could
+enable a local malicious application to execute arbitrary code within the
+context of an elevated system application. This issue is rated as Moderate
+because it requires an uncommon device configuration.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="18%">
+ <col width="18%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3890</td>
+ <td>A-28347842</td>
+ <td>Moderate</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* Supported Nexus devices on Android 7.0 that have installed all available
+updates are not affected by this vulnerability.
+</p>
+
+<h3>Information disclosure vulnerability in Mediaserver</h3>
+<p>
+An information disclosure vulnerability in Mediaserver could enable a local
+malicious application to access data outside of its permission levels. This
+issue is rated as Moderate because it could be used to access sensitive data
+without permission.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3895</td>
+ <td>A-29983260</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Jul 4, 2016</td>
+ </tr>
+</table>
+<h3>Information disclosure vulnerability in AOSP Mail</h3>
+<p>
+An information disclosure vulnerability in AOSP Mail could enable a local
+malicious application to gain access to user’s private information. This issue
+is rated as Moderate because it could be used to improperly access data without
+permission.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3896</td>
+ <td>A-29767043</td>
+ <td>Moderate</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Jul 24, 2016</td>
+ </tr>
+</table>
+<p>
+* Supported Nexus devices on Android 7.0 that have installed all available
+updates are not affected by this vulnerability.
+</p>
+
+<h3>Information disclosure vulnerability in Wi-Fi</h3>
+<p>
+An information disclosure vulnerability in the Wi-Fi configuration could allow
+an application to access sensitive information. This issue is rated as Moderate
+because it could be used to access data without permission.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="16%">
+ <col width="10%">
+ <col width="19%">
+ <col width="19%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3897</td>
+ <td>A-25624963</td>
+ <td>Moderate</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Nov 5, 2015</td>
+ </tr>
+</table>
+<p>
+* Supported Nexus devices on Android 7.0 that have installed all available
+updates are not affected by this vulnerability.
+</p>
+
+<h3>Denial of service vulnerability in Telephony</h3>
+<p>
+A denial of service vulnerability in the Telephony component could enable a
+local malicious application to prevent 911 TTY calls from a locked screen. This
+issue is rated as Moderate due to the possibility of a denial of service on a
+critical function.
+</p>
+
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3898</td>
+ <td>A-29832693</td>
+ <td>Moderate</td>
+ <td>All Nexus</td>
+ <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 28, 2016</td>
+ </tr>
+</table>
+<h2 id="2016-09-05-details">2016-09-05 security patch level—Vulnerability details</h2>
+<p>
+In the sections below, we provide details for each of the security
+vulnerabilities listed in the
+<a href="#2016-09-05-summary">2016-09-05 security patch level—Vulnerability
+summary</a> above. There is a description of the issue, a severity rationale,
+and a table with the CVE, associated references, severity, updated Nexus
+devices, updated AOSP versions (where applicable), and date reported. When
+available, we will link the public change that addressed the issue to the bug
+ID, like the AOSP change list. When multiple changes relate to a single bug,
+additional references are linked to numbers following the bug ID.
+</p>
+
+<h3>Elevation of privilege vulnerability in kernel security subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel security subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility of
+a local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2014-9529</td>
+ <td>A-29510361
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a3a8784454692dd72e5d5d34dcdab17b4420e74c">Upstream
+kernel</a></p></td>
+ <td>Critical</td>
+ <td>Nexus 5, Nexus 6, Nexus 9, Nexus Player, Android One</td>
+ <td>Jan 6, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-4470</td>
+ <td>A-29823941
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229a">Upstream
+kernel</a></p></td>
+ <td>Critical</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player</td>
+ <td>June 15, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in kernel networking subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel networking subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility of
+a local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2013-7446</td>
+ <td>A-29119002
+<p>
+<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c">Upstream
+kernel</a></p></td>
+ <td>Critical</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
+Android One</td>
+ <td>Nov 18, 2015</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in kernel netfilter subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel netfilter subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility of
+a local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3134</td>
+ <td>A-28940694
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d83fc74aa9ec72794373cb47432c5f7fb1a309">Upstream
+kernel</a></p></td>
+ <td>Critical</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
+Android One</td>
+ <td>Mar 9, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in kernel USB driver</h3>
+<p>
+An elevation of privilege vulnerability in the kernel USB driver could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3951</td>
+ <td>A-28744625
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d06dd537f95683aba3651098ae288b7cbff8274">Upstream kernel</a>
+[<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1666984c8625b3db19a9abc298931d35ab7bc64b">2</a>]</p></td>
+ <td>Critical</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
+Android One</td>
+ <td>Apr 6, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in kernel sound subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel sound subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2014-4655</td>
+ <td>A-29916012
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=82262a46627bebb0febcc26664746c25cef08563">Upstream
+kernel</a></p></td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 6, Nexus 9, Nexus Player</td>
+ <td>Jun 26, 2014</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in kernel ASN.1 decoder</h3>
+<p>
+An elevation of privilege vulnerability in the kernel ASN.1 decoder could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as High because it first requires compromising a
+privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-2053</td>
+ <td>A-28751627
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f">Upstream
+kernel</a></p></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6P</td>
+ <td>Jan 25, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Qualcomm radio interface layer</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm radio interface layer
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="18%">
+ <col width="10%">
+ <col width="25%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3864</td>
+ <td>A-28823714*<br>
+ QC-CR#913117</td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td>
+ <td>Apr 29, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in Qualcomm subsystem driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm subsystem driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3858</td>
+ <td>A-28675151<br>
+<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0c148b9a9028c566eac680f19e5d664b483cdee3">QC-CR#1022641</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6P</td>
+ <td>May 9, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in kernel networking driver</h3>
+<p>
+An elevation of privilege vulnerability in the kernel networking driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-4805</td>
+ <td>A-28979703
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1f461dcdd296eecedaffffc6bae2bfa90bd7eb89">Upstream
+kernel</a></p></td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9</td>
+ <td>May 15, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Synaptics touchscreen driver</h3>
+<p>
+An elevation of privilege vulnerability in the Synaptics touchscreen driver
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3865</td>
+ <td>A-28799389*</td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 9</td>
+ <td>May 16, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in Qualcomm camera driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm camera driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3859</td>
+ <td>A-28815326*<br>
+ QC-CR#1034641</td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td>
+ <td>May 17, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in Qualcomm sound driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm sound driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3866</td>
+ <td>A-28868303*<br>
+ QC-CR#1032820</td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P</td>
+ <td>May 18, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in Qualcomm IPA driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm IPA driver could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as High because it first requires compromising a
+privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3867</td>
+ <td>A-28919863*<br>
+ QC-CR#1037897</td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6P</td>
+ <td>May 21, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in Qualcomm power driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm power driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3868</td>
+ <td>A-28967028*<br>
+ QC-CR#1032875</td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6P</td>
+ <td>May 25, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in Broadcom Wi-Fi driver</h3>
+<p>
+An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3869</td>
+ <td>A-29009982*<br>
+ B-RB#96070</td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C</td>
+ <td>May 27, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in kernel eCryptfs filesystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel eCryptfs filesystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="17%">
+ <col width="22%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-1583</td>
+ <td>A-29444228<br>
+<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9">Upstream kernel</a>
+[<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87">2</a>]
+[<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29d6455178a09e1dc340380c582b13356227e8df">3</a>]</td>
+ <td>High</td>
+ <td>Pixel C</td>
+ <td>Jun 1, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in NVIDIA kernel</h3>
+<p>
+An elevation of privilege vulnerability in the NVIDIA kernel could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as High severity because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3873</td>
+ <td>A-29518457*<br>
+ N-CVE-2016-3873</td>
+ <td>High</td>
+ <td>Nexus 9</td>
+ <td>Jun 20, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3874</td>
+ <td>A-29944562<br>
+<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=50e8f265b3f7926aeb4e49c33f7301ace89faa77">QC-CR#997797</a>
+[<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a3974e61c960aadcc147c3c5704a67309171642d">2</a>]</td>
+ <td>High</td>
+ <td>Nexus 5X</td>
+ <td>Jul 1, 2016</td>
+ </tr>
+</table>
+<h3>Denial of service vulnerability in kernel networking subsystem</h3>
+<p>
+A denial of service vulnerability in the kernel networking subsystem could
+enable an attacker to cause a device hang or reboot. This issue is rated as High
+due to the possibility of a temporary remote denial of service.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="18%">
+ <col width="10%">
+ <col width="25%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-1465</td>
+ <td>A-29506807
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0">Upstream
+kernel</a></p></td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 6, Nexus 9, Nexus Player, Pixel C, Android One</td>
+ <td>Feb 3, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-5364</td>
+ <td>A-29507402
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0">Upstream
+kernel</a></p></td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
+Android One</td>
+ <td>Jun 30, 2015</td>
+ </tr>
+</table>
+<h3>Denial of service vulnerability in kernel ext4 file system</h3>
+<p>
+A denial of service vulnerability in the kernel ext4 file system could enable an
+attacker to cause a local permanent denial of service, which may require
+reflashing the operating system to repair the device. This issue is rated as
+High due to the possibility of local permanent denial of service.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="16%">
+ <col width="10%">
+ <col width="27%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-8839</td>
+ <td>A-28760453*</td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, Android One</td>
+ <td>Apr 4, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Information disclosure vulnerability in Qualcomm SPMI driver</h3>
+<p>
+An information disclosure vulnerability in the Qualcomm SPMI driver could enable
+a local malicious application to access data outside of its permission levels.
+This issue is rated as Moderate because it first requires compromising a
+privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3892</td>
+ <td>A-28760543*<br>
+ QC-CR#1024197</td>
+ <td>Moderate</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P</td>
+ <td>May 13, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Information disclosure vulnerability in Qualcomm sound codec</h3>
+<p>
+An information disclosure vulnerability in the Qualcomm sound codec could enable
+a local malicious application to access data outside of its permission levels.
+This issue is rated as Moderate because it first requires compromising a
+privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3893</td>
+ <td>A-29512527<br>
+<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=a7a6ddc91cce7ad5ad55c9709b24bfc80f5ac873">QC-CR#856400</a></td>
+ <td>Moderate</td>
+ <td>Nexus 6P</td>
+ <td>Jun 20, 2016</td>
+ </tr>
+</table>
+<h3>Information disclosure vulnerability in Qualcomm DMA component</h3>
+<p>
+An information disclosure vulnerability in the Qualcomm DMA component could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Moderate because it first requires compromising a
+privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3894</td>
+ <td>A-29618014*<br>
+ QC-CR#1042033</td>
+ <td>Moderate</td>
+ <td>Nexus 6</td>
+ <td>Jun 23, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h3>Information disclosure vulnerability in kernel networking subsystem</h3>
+<p>
+An information disclosure vulnerability in the kernel networking subsystem could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Moderate because it first requires compromising a
+privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-4998</td>
+ <td>A-29637687<br>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968e9686df777dc178486f600c6e617">Upstream kernel</a>
+[<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91">2</a>]</td>
+ <td>Moderate</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
+Android One</td>
+ <td>Jun 24, 2016</td>
+ </tr>
+</table>
+<h3>Denial of service vulnerability in kernel networking subsystem</h3>
+<p>
+A denial of service vulnerability in the kernel networking subsystem could
+enable an attacker to block access to Wi-Fi capabilities.This issue is rated as
+Moderate due to the possibility of a temporary remote denial of service of the
+Wi-Fi capabilities.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-2922</td>
+ <td>A-29409847
+<p>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a">Upstream
+kernel</a></p></td>
+ <td>Moderate</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
+Android One</td>
+ <td>Apr 4, 2015</td>
+ </tr>
+</table>
+<h3>Vulnerabilities in Qualcomm components</h3>
+<p>
+The table below contains security vulnerabilities affecting Qualcomm components,
+potentially including the bootloader, camera driver, character driver,
+networking, sound driver, and video driver.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-2469</td>
+ <td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e">QC-CR#997025</a></td>
+ <td>High</td>
+ <td>None</td>
+ <td>Jun 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-2469</td>
+ <td><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=e7369163162e7773bc887f7a264d6aa46cfcc665">QC-CR#997015</a></td>
+ <td>Moderate</td>
+ <td>None</td>
+ <td>Jun 2016</td>
+ </tr>
+</table>
+<h2 id="2016-09-06-details">2016-09-06 security patch level—Vulnerability details</h2>
+<p>
+In the sections below, we provide details for each of the security
+vulnerabilities listed in the
+<a href="#2016-09-06-summary">2016-09-06 security patch level—Vulnerability
+summary</a> above. There is a description of the issue, a severity rationale,
+and a table with the CVE, associated references, severity, updated Nexus
+devices, updated AOSP versions (where applicable), and date reported. When
+available, we will link the public change that addressed the issue to the bug
+ID, like the AOSP change list. When multiple changes relate to a single bug,
+additional references are linked to numbers following the bug ID.
+</p>
+
+<h3>Elevation of privilege vulnerability in kernel shared memory subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel shared memory subsystem
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility of
+a local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-5340</td>
+ <td>A-30652312<br>
+<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6">QC-CR#1008948</a></td>
+ <td>Critical</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td>
+ <td>Jul 26, 2016</td>
+ </tr>
+</table>
+<h3>Elevation of privilege vulnerability in Qualcomm networking component</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm networking component
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Nexus devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-2059</td>
+ <td>A-27045580<br>
+<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9e8bdd63f7011dff5523ea435433834b3702398d">QC-CR#974577</a></td>
+ <td>High</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One</td>
+ <td>Feb 4, 2016</td>
+ </tr>
+</table>
+<h2 id="common-questions-and-answers">Common Questions and Answers</h2>
+<p>
+This section answers common questions that may occur after reading this
+bulletin.
+</p>
+
+<p>
+<strong>1. How do I determine if my device is updated to address these issues?
+</strong>
+</p>
+
+<p>
+Security Patch Levels of 2016-09-01 or later address all issues associated with
+the 2016-09-01 security patch string level. Security Patch Levels of 2016-09-05
+or later address all issues associated with the 2016-09-05 security patch string
+level. Security Patch Levels of 2016-09-06 or later address all issues
+associated with the 2016-09-06 security patch string level. Refer to the
+<a href="https://support.google.com/nexus/answer/4457705">help center</a> for
+instructions on how to check the security patch level. Device manufacturers that
+include these updates should set the patch string level to:
+[ro.build.version.security_patch]:[2016-09-01],
+[ro.build.version.security_patch]:[2016-09-05], or
+[ro.build.version.security_patch]:[2016-09-06].
+</p>
+
+<p>
+<strong>2. Why does this bulletin have three security patch level
+strings?</strong>
+</p>
+
+<p>
+This bulletin has three security patch level strings so that Android partners
+have the flexibility to fix a subset of vulnerabilities that are similar across
+all Android devices more quickly. Android partners are encouraged to fix all
+issues in this bulletin and use the latest security patch level string.
+</p>
+
+<p>
+Devices that use the September 6, 2016 security patch level or newer must
+include all applicable patches in this (and previous) security bulletins. This
+patch level was created to addresses issues that were discovered after partners
+were first notified of most issues in this bulletin.
+</p>
+
+<p>
+Devices that use September 5, 2016 security patch level must include all issues
+associated with that security patch level, the September 1, 2016 security patch
+level and fixes for all issues reported in previous security bulletins. Devices
+that use the September 5, 2016 security patch level may also include a subset of
+fixes associated with the September 6, 2016 security patch level.
+</p>
+
+<p>
+Devices that use September 1, 2016 security patch level must include all issues
+associated with that security patch level as well as fixes for all issues
+reported in previous security bulletins. Devices that use the September 1, 2016
+security patch level may also include a subset of fixes associated with the
+September 5, 2016 and September 6, 2016 security patch levels.
+</p>
+
+<p>
+3<strong>. How do I determine which Nexus devices are affected by each
+issue?</strong>
+</p>
+
+<p>
+In the
+<a href="#2016-09-01-details">2016-09-01</a>,
+<a href="#2016-09-05-details">2016-09-05</a>, and
+<a href="#2016-09-06-details">2016-09-06</a> security vulnerability details
+sections, each table has an <em>Updated Nexus devices</em> column that covers
+the range of affected Nexus devices updated for each issue. This column has a
+few options:
+</p>
+
+<ul>
+<li><strong>All Nexus devices</strong>: If an issue affects all Nexus devices,
+the table will have “All Nexus” in the <em>Updated Nexus devices</em> column.
+“All Nexus” encapsulates the following
+<a href="https://support.google.com/nexus/answer/4457705#nexus_devices">supported
+devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9,
+Android One, Nexus Player, and Pixel C.</li>
+<li><strong>Some Nexus devices</strong>: If an issue doesn’t affect all Nexus
+devices, the affected Nexus devices are listed in the <em>Updated Nexus
+devices</em> column.</li>
+<li><strong>No Nexus devices</strong>: If no Nexus devices running Android 7.0
+are affected by the issue, the table will have “None” in the <em>Updated Nexus
+devices</em> column.</li>
+</ul>
+<p>
+<strong>4. What do the entries in the references column map to?</strong>
+</p>
+
+<p>
+Entries under the <em>References</em> column of the vulnerability details table
+may contain a prefix identifying the organization to which the reference value
+belongs. These prefixes map as follows:
+</p>
+
+<table>
+ <tr>
+ <th>Prefix</th>
+ <th>Reference</th>
+ </tr>
+ <tr>
+ <td>A-</td>
+ <td>Android bug ID</td>
+ </tr>
+ <tr>
+ <td>QC-</td>
+ <td>Qualcomm reference number</td>
+ </tr>
+ <tr>
+ <td>M-</td>
+ <td>MediaTek reference number</td>
+ </tr>
+ <tr>
+ <td>N-</td>
+ <td>NVIDIA reference number</td>
+ </tr>
+ <tr>
+ <td>B-</td>
+ <td>Broadcom reference number</td>
+ </tr>
+</table>
+
+<h2 id="revisions">Revisions</h2>
+<ul>
+<li>September 06, 2016: Bulletin published.</li>
+</ul>
diff --git a/src/security/bulletin/index.jd b/src/security/bulletin/index.jd
index ab9419d..6c66b0a 100644
--- a/src/security/bulletin/index.jd
+++ b/src/security/bulletin/index.jd
@@ -44,6 +44,15 @@
<th>Android Security Patch Level</th>
</tr>
<tr>
+ <td><a href="2016-09-01.html">September 2016</a></td>
+ <td>Coming soon
+ </td>
+ <td>September 6, 2016</td>
+ <td>September 1, 2016: [2016-09-01]<br>
+ September 5, 2016: [2016-09-05]<br>
+ September 6, 2016: [2016-09-06]</td>
+ </tr>
+ <tr>
<td><a href="2016-08-01.html">August 2016</a></td>
<td>Coming soon
</td>
diff --git a/src/security/overview/acknowledgements.jd b/src/security/overview/acknowledgements.jd
index 706955a..9aecfda 100644
--- a/src/security/overview/acknowledgements.jd
+++ b/src/security/overview/acknowledgements.jd
@@ -72,6 +72,8 @@
<p>Christopher Tate of Google</p>
+<p>Cory Pruce of Carnegie Mellon University</p>
+
<p>David Benjamin of Google</p>
<p>David Riley of the Google Pixel C Team</p>
@@ -138,8 +140,14 @@
<p>Lee Campbell of Google</p>
+<p><a href="https://github.com/AndroidDeveloperLB/">Liran Barsisa</a> of <a href="https://sync.me/">Sync.Me</a></p>
+
<p>Maciej Szawłowski of the Google Security Team</p>
+<p>Madhu Priya Murugan of CISPA, Saarland University</p>
+
+<p>Makoto Onuki of Google</p>
+
<p>Marco Grassi (<a href="https://twitter.com/marcograss">@marcograss</a>) of KeenLab
(<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent</p>
@@ -166,6 +174,8 @@
<p>Ning You of Alibaba Mobile Security Group</p>
+<p>Oleksiy Vyalov of Google</p>
+
<p>Oliver Chang of Google Chrome Security Team</p>
<p>Paul Stone of Context Information Security</p>
@@ -181,7 +191,8 @@
<p>Qianwei Hu (<a href="mailto:rayxcp@gmail.com">rayxcp@gmail.com</a>) of
<a href="http://www.wooyun.org/">WooYun TangLab</a></p>
-<p>Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent</p>
+<p>Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of
+ KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent</p>
<p>Richard Shupak</p>
@@ -189,7 +200,13 @@
<p>Roeland Krak</p>
-<p>Romain Trouvé (<a href="https://twitter.com/bouuntyyy">@bouuntyyy)</a> of <a href="https://labs.mwrinfosecurity.com/">MWR Labs</a></p>
+<p>Romain Trouvé (<a href="https://twitter.com/bouuntyyy">@bouuntyyy)</a> of
+ <a href="https://labs.mwrinfosecurity.com/">MWR Labs</a></p>
+
+<p>Ronald L. Loor Vargas (<a href="https://twitter.com/loor_rlv">@loor_rlv</a>)
+of TEAM Lv51</p>
+
+<p>Sagi Kedmi, IBM Security X-Force Researcher</p>
<p>Santos Cordon of Google Telecom Team</p>
@@ -213,14 +230,23 @@
<p>Tieyan Li of Huawei</p>
+<p>Tim Strazzere (<a href="https://twitter.com/timstrazz">@timstrazz</a>) of
+SentinelOne / RedNaga</p>
+
<p>Tom Craig of Google X</p>
<p>Tom Rootjunky</p>
<p><a href="mailto:litongxin1991@gmail.com">Tongxin Li</a> of Peking University</p>
+<p>trotmaster (<a href="https://twitter.com/trotmaster99">@trotmaster99</a>)</p>
+
<p>Vasily Vasilev</p>
+<p>Victor Chang of Google</p>
+
+<p>Vignesh Venkatasubramanian of Google</p>
+
<p>Vishwath Mohan of Android Security</p>
<p>Wei Wei (<a href="https://twitter.com/Danny__Wei">@Danny__Wei</a>) of Xuanwu
@@ -231,6 +257,8 @@
<p>Wen Niu (<a href="https://twitter.com/NWMonster">@NWMonster</a>) of KeenLab
(<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent</p>
+<p><a href="mailto:vancouverdou@gmail.com">Wenke Dou</a> of <a href="http://c0reteam.org">C0RE Team</a></p>
+
<p>William Roberts (<a href="mailto:william.c.roberts@intel.com">william.c.roberts@intel.com</a>)</p>
<p>Wish Wu (<a href="https://twitter.com/@wish_wu">@wish_wu</a>) of Trend Micro Inc.</p>
@@ -239,6 +267,9 @@
<p>Xiling Gong of Tencent Security Platform Department</p>
+<p>Xingyu He (何星宇) (<a href="https://twitter.com/Spid3r_">@Spid3r_</a>)
+ of <a href="http://www.alibaba.com/">Alibaba Inc</a></p>
+
<p><a href="mailto:hanxinhui@pku.edu.cn">Xinhui Han</a> of Peking University</p>
<p>Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a> from <a href="http://www.360safe.com/">Qihoo 360</a></p>
@@ -263,6 +294,8 @@
<p>Yulong Zhang of Baidu X-Lab</p>
+<p><a href="http://yurushao.info">Yuru Shao</a> of University of Michigan Ann Arbor</p>
+
<p>Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team</p>
</div>
diff --git a/src/security/security_toc.cs b/src/security/security_toc.cs
index 21cca0b..a0236e3 100644
--- a/src/security/security_toc.cs
+++ b/src/security/security_toc.cs
@@ -62,6 +62,7 @@
<li><a href="<?cs var:toroot ?>security/advisory/2016-03-18.html">2016-03-18</a></li>
</ul>
</li>
+ <li><a href="<?cs var:toroot ?>security/bulletin/2016-09-01.html">September 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-08-01.html">August 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-07-01.html">July 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-06-01.html">June 2016</a></li>
