Published November 07, 2016 | Updated December 21, 2016
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the Google Developer site. Security patch levels of November 06, 2016 or later address all of these issues. Refer to the Pixel and Nexus update schedule to learn how to check a device's security patch level.
Partners were notified of the issues described in the bulletin on October 20, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository. This bulletin also includes links to patches outside of AOSP.
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.
We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google service mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform.
We encourage all customers to accept these updates to their devices.
Announcements
- With the introduction of the Pixel and Pixel XL devices, the term for all devices supported by Google is "Google devices" instead of "Nexus devices."
- This bulletin has three security patch levels to provide Android partners
with the flexibility to more quickly fix a subset of vulnerabilities that are
similar across all Android devices. See
Common questions and answers for
additional information:
- 2016-11-01: Partial security patch level. This security patch level indicates that all issues associated with 2016-11-01 (and all previous security patch level) are addressed.
- 2016-11-05: Complete security patch level. This security patch level indicates that all issues associated with 2016-11-01 and 2016-11-05 (and all previous security patch levels) are addressed.
- Supplemental security patch levels
Supplemental security patch levels are provided to identify devices that contain fixes for issues that were publicly disclosed after the patch level was defined. Addressing these recently disclosed vulnerabilities is not required until the 2016-12-01 security patch level.
- 2016-11-06: This security patch level indicates that the device has addressed all issues associated with 2016-11-05 and CVE-2016-5195, which was publicly disclosed on October 19, 2016.
- Supported Google devices will receive a single OTA update with the November 05, 2016 security patch level.
Android and Google service mitigations
This is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.
Acknowledgements
We would like to thank these researchers for their contributions:
- Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security Team: CVE-2016-6722
- Andrei Kapishnikov and Miriam Gershenson of Google: CVE-2016-6703
- Ao Wang (@ArayzSegment) and Zinuo Han of PKAV, Silence Information Technology: CVE-2016-6700, CVE-2016-6702
- Askyshang of Security Platform Department, Tencent: CVE-2016-6713
- Billy Lau of Android Security: CVE-2016-6737
- Constantinos Patsakis and Efthimios Alepis of University of Piraeus: CVE-2016-6715
- dragonltx of Alibaba mobile security team: CVE-2016-6714
- Gal Beniamini of Project Zero: CVE-2016-6707, CVE-2016-6717
- Gengjia Chen (@chengjia4574) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-6725, CVE-2016-6738, CVE-2016-6740, CVE-2016-6741, CVE-2016-6742, CVE-2016-6744, CVE-2016-6745, CVE-2016-3906
- Guang Gong (龚广) (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-6754
- Jianqiang Zhao (@jianqiangzhao) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-6739, CVE-2016-3904, CVE-2016-3907, CVE-2016-6698
- Marco Grassi (@marcograss) of Keen Lab of Tencent (@keen_lab): CVE-2016-6828
- Mark Brand of Project Zero: CVE-2016-6706
- Mark Renouf of Google: CVE-2016-6724
- Michał Bednarski (github.com/michalbednarski): CVE-2016-6710
- Min Chong of Android Security: CVE-2016-6743
- Peter Pi (@heisecode) of Trend Micro: CVE-2016-6721
- Qidan He (何淇丹) (@flanker_hqd) and Gengming Liu (刘耕铭) (@dmxcsnsbh) of KeenLab, Tencent: CVE-2016-6705
- Robin Lee of Google: CVE-2016-6708
- Scott Bauer (@ScottyBauer1): CVE-2016-6751
- Sergey Bobrov (@Black2Fan) of Kaspersky Lab: CVE-2016-6716
- Seven Shen (@lingtongshen) of Trend Micro Mobile Threat Research Team: CVE-2016-6748, CVE-2016-6749, CVE-2016-6750, CVE-2016-6753
- Victor van der Veen, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida of Vrije Universiteit Amsterdam and Yanick Fratantonio, Martina Lindorfer, and Giovanni Vigna of University of California, Santa Barbara: CVE-2016-6728
- Weichao Sun (@sunblate) of Alibaba Inc: CVE-2016-6712, CVE-2016-6699, CVE-2016-6711
- Wenke Dou (vancouverdou@gmail.com), Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-6720
- Wish Wu (吴潍浠) (@wish_wu) of Trend Micro Inc.: CVE-2016-6704
- Yakov Shafranovich of Nightwatch Cybersecurity: CVE-2016-6723
- Yuan-Tsung Lo, Yao Jun, Tong Lin, Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-6730, CVE-2016-6732, CVE-2016-6734, CVE-2016-6736
- Yuan-Tsung Lo, Yao Jun, Xiaodong Wang, Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-6731, CVE-2016-6733, CVE-2016-6735, CVE-2016-6746
Additional thanks to Zach Riggle of Android Security for his contributions to several issues in this bulletin.
2016-11-01 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-11-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
Remote code execution vulnerability in Mediaserver
A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6699 | A-31373622 | Critical | All | 7.0 | Jul 27, 2016 |
Elevation of privilege vulnerability in libzipfile
An elevation of privilege vulnerability in libzipfile could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6700 | A-30916186 | Critical | None* | 4.4.4, 5.0.2, 5.1.1 | Aug 17, 2016 |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Remote code execution vulnerability in Skia
A remote code execution vulnerability in libskia could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as High due to the possibility of remote code execution within the context of the gallery process.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6701 | A-30190637 | High | All | 7.0 | Google internal |
Remote code execution vulnerability in libjpeg
A remote code execution vulnerability in libjpeg could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses libjpeg.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6702 | A-30259087 | High | None* | 4.4.4, 5.0.2, 5.1.1 | Jul 19, 2016 |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Remote code execution vulnerability in Android runtime
A remote code execution vulnerability in an Android runtime library could enable an attacker using a specially crafted payload to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses the Android runtime.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6703 | A-30765246 | High | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Google internal |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Elevation of privilege vulnerability in Mediaserver
An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6704 | A-30229821 [2] [3] | High | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 19, 2016 |
| CVE-2016-6705 | A-30907212 [2] | High | All | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Aug 16, 2016 |
| CVE-2016-6706 | A-31385713 | High | All | 7.0 | Sep 8, 2016 |
Elevation of privilege vulnerability in System Server
An elevation of privilege vulnerability in System Server could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6707 | A-31350622 | High | All | 6.0, 6.0.1, 7.0 | Sep 7, 2016 |
Elevation of privilege vulnerability in System UI
An elevation of privilege in the System UI could enable a local malicious user to bypass the security prompt of a work profile in Multi-Window mode. This issue is rated as High because it is a local bypass of user interaction requirements for any developer or security setting modifications.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6708 | A-30693465 | High | All | 7.0 | Google internal |
Information disclosure vulnerability in Conscrypt
An information disclosure vulnerability in Conscrypt could enable an attacker to gain access to sensitive information if a legacy encryption API is used by an application. This issue is rated as High because it could be used to access data without permission.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6709 | A-31081987 | High | All | 6.0, 6.0.1, 7.0 | Oct 9, 2015 |
Information disclosure vulnerability in download manager
An information disclosure vulnerability in the download manager could enable a local malicious application to bypass operating system protections that isolate application data from other applications. This issue is rated as High because it could be used to gain access to data that the application does not have access to.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6710 | A-30537115 [2] | High | All | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 30, 2016 |
Denial of service vulnerability in Bluetooth
A denial of service vulnerability in Bluetooth could enable a proximate attacker to block Bluetooth access to an affected device. This issue is rated as High due to the possibility of remote denial of service.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2014-9908 | A-28672558 | High | None* | 4.4.4, 5.0.2, 5.1.1 | May 5, 2014 |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Denial of service vulnerability in OpenJDK
A remote denial of service vulnerability in OpenJDK could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2015-0410 | A-30703445 | High | All | 7.0 | Jan 16, 2015 |
Denial of service vulnerability in Mediaserver
A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6711 | A-30593765 | High | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Aug 1, 2016 |
| CVE-2016-6712 | A-30593752 | High | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Aug 1, 2016 |
| CVE-2016-6713 | A-30822755 | High | All | 6.0, 6.0.1, 7.0 | Aug 11, 2016 |
| CVE-2016-6714 | A-31092462 | High | All | 6.0, 6.0.1, 7.0 | Aug 22, 2016 |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Elevation of privilege vulnerability in Framework APIs
An elevation of privilege vulnerability in the Framework APIs could allow a local malicious application to record audio without the user's permission. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6715 | A-29833954 | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jun 28, 2016 |
Elevation of privilege vulnerability in AOSP Launcher
An elevation of privilege vulnerability in the AOSP Launcher could allow a local malicious application to create shortcuts that have elevated privileges without the user's consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6716 | A-30778130 | Moderate | All | 7.0 | Aug 5, 2016 |
Elevation of privilege vulnerability in Mediaserver
An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires exploitation of a separate vulnerability.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6717 | A-31350239 | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Sep 7, 2016 |
Elevation of privilege vulnerability in Account Manager Service
An elevation of privilege vulnerability in the Account Manager Service could enable a local malicious application to retrieve sensitive information without user interaction. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission.)
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6718 | A-30455516 | Moderate | All | 7.0 | Google internal |
Elevation of privilege vulnerability in Bluetooth
An elevation of privilege vulnerability in the Bluetooth component could enable a local malicious application to pair with any Bluetooth device without user consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6719 | A-29043989 [2] | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Google internal |
Information disclosure vulnerability in Mediaserver
An information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6720 | A-29422020 [2] [3] [4] | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jun 15, 2016 |
| CVE-2016-6721 | A-30875060 | Moderate | All | 6.0, 6.0.1, 7.0 | Aug 13, 2016 |
| CVE-2016-6722 | A-31091777 | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Aug 23, 2016 |
Denial of service vulnerability in Proxy Auto Config
A denial of service vulnerability in Proxy Auto Config could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as Moderate because it requires an uncommon device configuration.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6723 | A-30100884 [2] | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 11, 2016 |
Denial of service vulnerability in Input Manager Service
A denial of service vulnerability in the Input Manager Service could enable a local malicious application to cause the device to continually reboot. This issue is rated as Moderate because it is a temporary denial of service that requires a factory reset to fix.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6724 | A-30568284 | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Google internal |
2016-11-05 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-11-05 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
Remote code execution vulnerability in Qualcomm crypto driver
A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6725 | A-30515053 QC-CR#1050970 |
Critical | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jul 25, 2016 |
Elevation of privilege vulnerability in kernel file system
An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2015-8961 | A-30952474
Upstream kernel |
Critical | Pixel, Pixel XL | Oct 18, 2015 |
| CVE-2016-7911 | A-30946378
Upstream kernel |
Critical | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Jul 01, 2016 |
| CVE-2016-7910 | A-30942273
Upstream kernel |
Critical | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Jul 29, 2016 |
Elevation of privilege vulnerability in kernel SCSI driver
An elevation of privilege vulnerability in the kernel SCSI driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2015-8962 | A-30951599
Upstream kernel |
Critical | Pixel, Pixel XL | Oct 30, 2015 |
Elevation of privilege vulnerability in kernel media driver
An elevation of privilege vulnerability in the kernel media driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-7913 | A-30946097
Upstream kernel |
Critical | Nexus 6P, Android One, Nexus Player, Pixel, Pixel XL | Jan 28, 2016 |
Elevation of privilege vulnerability in kernel USB driver
An elevation of privilege vulnerability in the kernel USB driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-7912 | A-30950866
Upstream kernel |
Critical | Pixel C, Pixel, Pixel XL | Apr 14, 2016 |
Elevation of privilege vulnerability in kernel ION subsystem
An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6728 | A-30400942* | Critical | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, Android One | Jul 25, 2016 |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Elevation of privilege vulnerability in Qualcomm bootloader
An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6729 | A-30977990*
QC-CR#977684 |
Critical | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jul 25, 2016 |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Elevation of privilege vulnerability in NVIDIA GPU driver
An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6730 | A-30904789* N-CVE-2016-6730 |
Critical | Pixel C | Aug 16, 2016 |
| CVE-2016-6731 | A-30906023* N-CVE-2016-6731 |
Critical | Pixel C | Aug 16, 2016 |
| CVE-2016-6732 | A-30906599* N-CVE-2016-6732 |
Critical | Pixel C | Aug 16, 2016 |
| CVE-2016-6733 | A-30906694* N-CVE-2016-6733 |
Critical | Pixel C | Aug 16, 2016 |
| CVE-2016-6734 | A-30907120* N-CVE-2016-6734 |
Critical | Pixel C | Aug 16, 2016 |
| CVE-2016-6735 | A-30907701* N-CVE-2016-6735 |
Critical | Pixel C | Aug 16, 2016 |
| CVE-2016-6736 | A-30953284* N-CVE-2016-6736 |
Critical | Pixel C | Aug 18, 2016 |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Elevation of privilege vulnerability in kernel networking subsystem
An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6828 | A-31183296
Upstream kernel |
Critical | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Aug 18, 2016 |
Elevation of privilege vulnerability in kernel sound subsystem
An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2184 | A-30952477
Upstream kernel |
Critical | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Mar 31, 2016 |
Elevation of privilege vulnerability in kernel ION subsystem
An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6737 | A-30928456* | Critical | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Google internal |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Vulnerabilities in Qualcomm components
The table below contains security vulnerabilities affecting Qualcomm components and are described in further detail in Qualcomm AMSS June 2016 security bulletin and Security Alert 80-NV606-17.
| CVE | References | Severity* | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6727 | A-31092400** | Critical | Android One | Qualcomm internal |
| CVE-2016-6726 | A-30775830** | High | Nexus 6, Android One | Qualcomm internal |
* The severity rating for these vulnerabilities was determined by the vendor.
** The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Remote code execution vulnerability in Expat
The table below contains security vulnerabilities affecting the Expat library. The most severe of these issues is an elevation of privilege vulnerability in the Expat XML parser, which could enable an attacker using a specially crafted file to execute arbitrary code in an unprivileged process. This issue is rated as High due to the possibility of arbitrary code execution in an application that uses Expat.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-0718 | A-28698301 | High | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | May 10, 2016 |
| CVE-2012-6702 | A-29149404 | Moderate | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 06, 2016 |
| CVE-2016-5300 | A-29149404 | Moderate | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Jun 04, 2016 |
| CVE-2015-1283 | A-27818751 | Low | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Jul 24, 2015 |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Remote code execution vulnerability in Webview
A remote code execution vulnerability in Webview could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-6754 | A-31217937 | High | None* | 5.0.2, 5.1.1, 6.0, 6.0.1 | Aug 23, 2016 |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Remote code execution vulnerability in Freetype
A remote code execution vulnerability in Freetype could enable a local malicious application to load a specially crafted font to cause memory corruption in an unprivileged process. This issue is rated as High due to the possibility of remote code execution in applications that use Freetype.
| CVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2014-9675 | A-24296662 [2] | High | None* | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Google internal |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
Elevation of privilege vulnerability in kernel performance subsystem
An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2015-8963 | A-30952077
Upstream kernel |
High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Dec 15, 2015 |
Elevation of privilege vulnerability in kernel system-call auditing subsystem
An elevation of privilege vulnerability in the kernel system-call auditing subsystem could enable a local malicious application to disrupt system-call auditing in the kernel. This issue is rated as High because it is a general bypass for a kernel-level defense in depth or exploit mitigation technology.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6136 | A-30956807
Upstream kernel |
High | Android One, Pixel C, Nexus Player | Jul 1, 2016 |
Elevation of privilege vulnerability in Qualcomm crypto engine driver
An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6738 | A-30034511
QC-CR#1050538 |
High | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jul 7, 2016 |
Elevation of privilege vulnerability in Qualcomm camera driver
An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6739 | A-30074605* QC-CR#1049826 |
High | Nexus 5X, Nexus 6P, Pixel, Pixel XL | Jul 11, 2016 |
| CVE-2016-6740 | A-30143904
QC-CR#1056307 |
High | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jul 12, 2016 |
| CVE-2016-6741 | A-30559423
QC-CR#1060554 |
High | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jul 28, 2016 |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Elevation of privilege vulnerability in Qualcomm bus driver
An elevation of privilege vulnerability in the Qualcomm bus driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-3904 | A-30311977
QC-CR#1050455 |
High | Nexus 5X, Nexus 6P, Pixel, Pixel XL | Jul 22, 2016 |
Elevation of privilege vulnerability in Synaptics touchscreen driver
An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6742 | A-30799828* | High | Nexus 5X, Android One | Aug 9, 2016 |
| CVE-2016-6744 | A-30970485* | High | Nexus 5X | Aug 19, 2016 |
| CVE-2016-6745 | A-31252388* | High | Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL | Sep 1, 2016 |
| CVE-2016-6743 | A-30937462* | High | Nexus 9, Android One | Google internal |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Information disclosure vulnerability in kernel components
An information disclosure vulnerability in kernel components, including the human interface device driver, file system, and Teletype driver, could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2015-8964 | A-30951112
Upstream kernel |
High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Nov 27, 2015 |
| CVE-2016-7915 | A-30951261
Upstream kernel |
High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Jan 19, 2016 |
| CVE-2016-7914 | A-30513364
Upstream kernel |
High | Pixel C, Pixel, Pixel XL | Apr 06, 2016 |
| CVE-2016-7916 | A-30951939
Upstream kernel |
High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | May 05, 2016 |
Information disclosure vulnerability in NVIDIA GPU driver
An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6746 | A-30955105* N-CVE-2016-6746 |
High | Pixel C | Aug 18, 2016 |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Denial of service vulnerability in Mediaserver
A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6747 | A-31244612* N-CVE-2016-6747 |
High | Nexus 9 | Google internal |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Information disclosure vulnerability in kernel components
An information disclosure vulnerability in kernel components, including the process-grouping subsystem and the networking subsystem, could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-7917 | A-30947055
Upstream kernel |
Moderate | Pixel C, Pixel, Pixel XL | Feb 02, 2016 |
| CVE-2016-6753 | A-30149174* | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel C, Nexus Player, Pixel, Pixel XL | Jul 13, 2016 |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
Information disclosure vulnerability in Qualcomm components
An information disclosure vulnerability in Qualcomm components including the GPU driver, power driver, SMSM Point-to-Point driver, and sound driver, could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process.
| CVE | References | Severity | Updated Google devices | Date reported |
|---|---|---|---|---|
| CVE-2016-6748 | A-30076504
QC-CR#987018 |
Moderate | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jul 12, 2016 |
| CVE-2016-6749 | A-30228438
QC-CR#1052818 |
Moderate | Nexus 5X, Nexus 6P, Pixel, Pixel XL | Jul 12, 2016 |
| CVE-2016-6750 | A-30312054
QC-CR#1052825 |
Moderate | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jul 21, 2016 |
| CVE-2016-3906 | A-30445973
QC-CR#1054344 |
Moderate | Nexus 5X, Nexus 6P | Jul 27, 2016 |
| CVE-2016-3907 | A-30593266
QC-CR#1054352 |
Moderate | Nexus 5X, Nexus 6P, Pixel, Pixel XL | Aug 2, 2016 |
| CVE-2016-6698 | A-30741851
QC-CR#1058826 |
Moderate | Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL | Aug 2, 2016 |
| CVE-2016-6751 | A-30902162* QC-CR#1062271 |
Moderate | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Aug 15, 2016 |
| CVE-2016-6752 | A-31498159
QC-CR#987051 |
Moderate | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Google internal |
* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.
2016-11-06 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities listed in the 2016-11-06 security patch level—Vulnerability summary above. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
Elevation of privilege vulnerability in kernel memory subsystem
An elevation of privilege vulnerability in the kernel memory subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
Note: A security patch level of 2016-11-06 indicates that this issue, as well as all issues associated with 2016-11-01 and 2016-11-05 are addressed.
| CVE | References | Severity | Updated kernel versions | Date reported |
|---|---|---|---|---|
| CVE-2016-5195 | A-32141528 Upstream kernel [2] |
Critical | 3.10, 3.18 | Oct 12, 2016 |
Common Questions and Answers
This section answers common questions that may occur after reading this bulletin.
1. How do I determine if my device is updated to address these issues?
To learn how to check a device’s security patch level, read the instructions on the Pixel and Nexus update schedule.
- Security patch levels of 2016-11-01 or later address all issues associated with the 2016-11-01 security patch level.
- Security patch levels of 2016-11-05 or later address all issues associated with the 2016-11-05 security patch level and all previous patch levels.
- Security patch levels of 2016-11-06 or later address all issues associated with the 2016-11-06 security patch level and all previous patch levels.
Device manufacturers that include these updates should set the patch level string to:
- [ro.build.version.security_patch]:[2016-11-01]
- [ro.build.version.security_patch]:[2016-11-05]
- [ro.build.version.security_patch]:[2016-11-06].
2. Why does this bulletin have three security patch levels?
This bulletin has three security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.
- Devices that use the November 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
- Devices that use the security patch level of November 5, 2016 or newer must include all applicable patches in this (and previous) security bulletins.
- Devices that use the security patch level of November 6, 2016 or newer must include all applicable patches in this (and previous) security bulletins.
Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.
3. How do I determine which Google devices are affected by each issue?
In the 2016-11-01, 2016-11-05, and 2016-11-06 security vulnerability details sections, each table has an Updated Google devices column that covers the range of affected Google devices updated for each issue. This column has a few options:
- All Google devices: If an issue affects all Nexus and Pixel devices, the table will have "All" in the Updated Google devices column. "All" encapsulates the following supported devices: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel C, Pixel, and Pixel XL.
- Some Google devices: If an issue doesn't affect all Google devices, the affected Google devices are listed in the Updated Google devices column.
- No Google devices: If no Google devices running Android 7.0 are affected by the issue, the table will have "None" in the Updated Google devices column.
4. What do the entries in the references column map to?
Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. These prefixes map as follows:
| Prefix | Reference |
|---|---|
| A- | Android bug ID |
| QC- | Qualcomm reference number |
| M- | MediaTek reference number |
| N- | NVIDIA reference number |
| B- | Broadcom reference number |
Revisions
- November 07, 2016: Bulletin published.
- November 08: Bulletin revised to include AOSP links and updated description for CVE-2016-6709.
- November 17: Bulletin revised to include attribution for CVE-2016-6828.
- December 21: Updated researcher credit.