Google is committed to advancing racial equity for Black communities. See how.

Published August 01, 2016 | Updated October 21, 2016

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware images have also been released to the Google Developer site. Security Patch Levels of August 05, 2016 or later address these issues. Refer to the documentation to learn how to check the security patch level.

Partners were notified about the issues described in the bulletin on July 06, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google service mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform.

We encourage all customers to accept these updates to their devices.

Announcements

Bulletin revised to correct CVE-2016-3856 to CVE-2016-2060.

This bulletin has two security patch level strings to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices. See Common questions and answers for additional information: 2016-08-01 : Partial security patch level string. This security patch level string indicates that all issues associated with 2016-08-01 (and all previous security patch level strings) are addressed. 2016-08-05 : Complete security patch level string. This security patch level string indicates that all issues associated with 2016-08-01 and 2016-08-05 (and all previous security patch level strings) are addressed.

Supported Nexus devices will receive a single OTA update with the August 05, 2016 security patch level.

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.

The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.

As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.

Acknowledgements

We would like to thank these researchers for their contributions:

We would like to thank Daniel Micay of Copperhead Security, Jeff Vander Stoep, and Yabin Cui of Google for their contribution of platform level updates to mitigate a class of vulnerabilities such as CVE-2016-3843. This mitigation is based on work by Brad Spengler of Grsecurity.

2016-08-01 security patch level—Security vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-08-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Nexus devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Remote code execution vulnerability in Mediaserver

A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.

The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3819 A-28533562 Critical All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 May 2, 2016 CVE-2016-3820 A-28673410 Critical All Nexus 6.0, 6.0.1 May 6, 2016 CVE-2016-3821 A-28166152 Critical All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

Remote code execution vulnerability in libjhead

A remote code execution vulnerability in libjhead could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in applications that use this library.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3822 A-28868315 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

Elevation of privilege vulnerability in Mediaserver

An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3823 A-28815329 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 May 17, 2016 CVE-2016-3824 A-28816827 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 May 17, 2016 CVE-2016-3825 A-28816964 High All Nexus 5.0.2, 5.1.1, 6.0, 6.0.1 May 17, 2016 CVE-2016-3826 A-29251553 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jun 9, 2016

Denial of service vulnerability in Mediaserver

A denial of service vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of a temporary remote denial of service.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3827 A-28816956 High All Nexus 6.0.1 May 16, 2016 CVE-2016-3828 A-28835995 High All Nexus 6.0, 6.0.1 May 17, 2016 CVE-2016-3829 A-29023649 High All Nexus 6.0, 6.0.1 May 27, 2016 CVE-2016-3830 A-29153599 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

Denial of service vulnerability in system clock

A denial of service vulnerability in the system clock could enable a remote attacker to crash the device. This issue is rated as High due to the possibility of a temporary remote denial of service.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3831 A-29083635 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 May 31, 2016

Elevation of privilege vulnerability in framework APIs

An elevation of privilege vulnerability in the framework APIs could enable a local malicious application to bypass operating system protections that isolate application data from other applications. This issue is rated as Moderate because it could be used to gain access to data that is outside of the application’s permission levels.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3832 A-28795098 Moderate All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 May 15, 2016

Elevation of privilege vulnerability in Shell

An elevation of privilege in the Shell could enable a local malicious application to bypass device constraints such as user restrictions. This issue is rated as Moderate because it is a local bypass of user permissions.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3833 A-29189712 [2] Moderate All Nexus 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

Information disclosure vulnerability in OpenSSL

An information disclosure vulnerability in OpenSSL could allow a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-2842 A-29060514 None* All Nexus 4.4.4, 5.0.2, 5.1.1 Mar 29, 2016

* Supported Nexus devices that have installed all available updates are not affected by this vulnerability

Information disclosure vulnerability in camera APIs

An information disclosure vulnerability in the camera APIs could allow a local malicious application to access data structures outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3834 A-28466701 Moderate All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Apr 28, 2016

Information disclosure vulnerability in Mediaserver

An information disclosure vulnerability in Mediaserver could allow a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3835 A-28920116 Moderate All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 May 23, 2016

Information disclosure vulnerability in SurfaceFlinger

An information disclosure vulnerability in the SurfaceFlinger service could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without explicit user permission.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3836 A-28592402 Moderate All Nexus 5.0.2, 5.1.1, 6.0, 6.0.1 May 4, 2016

Information disclosure vulnerability in Wi-Fi

An information disclosure vulnerability in Wi-Fi could allow a local malicious application to to access data outside of its permission levels. This issue is rated Moderate because it could be used to access sensitive data without permission.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3837 A-28164077 Moderate All Nexus 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

Denial of service vulnerability in system UI

A denial of service vulnerability in the system UI could enable a local malicious application to prevent 911 calls from a locked screen. This issue is rated as Moderate due to the possibility of a denial of service on a critical function.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3838 A-28761672 Moderate All Nexus 6.0, 6.0.1 Google internal

Denial of service vulnerability in Bluetooth

A denial of service vulnerability in Bluetooth could enable a local malicious application to prevent 911 calls from a Bluetooth device. This issue is rated as Moderate due to the possibility of a denial of service on a critical function.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3839 A-28885210 Moderate All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

2016-08-05 security patch level—Vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-08-05 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Nexus devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Remote code execution vulnerability in Qualcomm Wi-Fi driver

A remote code execution vulnerability in the Qualcomm Wi-Fi driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise.

CVE References Severity Updated Nexus devices Date reported CVE-2014-9902 A-28668638 QC-CR#553937

QC-CR#553941 Critical Nexus 7 (2013) Mar 31, 2014

Remote code execution vulnerability in Conscrypt

A remote code execution vulnerability in Conscrypt could enable a remote attacker to execute arbitrary code within the context of a privileged process. This issue is rated as Critical due to the possibility of remote code execution.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3840 A-28751153 Critical All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

Elevation of privilege vulnerability in Qualcomm components

The table below contains security vulnerabilities affecting Qualcomm components, potentially including the bootloader, camera driver, character drive, networking, sound driver, and video driver.

The most severe of these issues is rated as Critical due to possibility that a local malicious application could execute arbitrary code within the context of the kernel leading to a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Nexus devices Date reported CVE-2014-9863 A-28768146 QC-CR#549470 Critical Nexus 5, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9864 A-28747998 QC-CR#561841 High Nexus 5, Nexus 7 (2013) Mar 27, 2014 CVE-2014-9865 A-28748271 QC-CR#550013 High Nexus 5, Nexus 7 (2013) Mar 27, 2014 CVE-2014-9866 A-28747684 QC-CR#511358 High Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9867 A-28749629 QC-CR#514702 High Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9868 A-28749721 QC-CR#511976 High Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9869 A-28749728 QC-CR#514711 [2] High Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9870 A-28749743 QC-CR#561044 High Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9871 A-28749803 QC-CR#514717 High Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9872 A-28750155 QC-CR#590721 High Nexus 5 Mar 31, 2014 CVE-2014-9873 A-28750726 QC-CR#556860 High Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9874 A-28751152 QC-CR#563086 High Nexus 5, Nexus 5X, Nexus 6P, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9875 A-28767589 QC-CR#483310 High Nexus 7 (2013) Apr 30, 2014 CVE-2014-9876 A-28767796 QC-CR#483408 High Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9877 A-28768281 QC-CR#547231 High Nexus 5, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9878 A-28769208 QC-CR#547479 High Nexus 5 Apr 30, 2014 CVE-2014-9879 A-28769221 QC-CR#524490 High Nexus 5 Apr 30, 2014 CVE-2014-9880 A-28769352 QC-CR#556356 High Nexus 7 (2013) Apr 30, 2014 CVE-2014-9881 A-28769368 QC-CR#539008 High Nexus 7 (2013) Apr 30, 2014 CVE-2014-9882 A-28769546 QC-CR#552329 [2] High Nexus 7 (2013) Apr 30, 2014 CVE-2014-9883 A-28769912 QC-CR#565160 High Nexus 5, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9884 A-28769920 QC-CR#580740 High Nexus 5, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9885 A-28769959 QC-CR#562261 High Nexus 5 Apr 30, 2014 CVE-2014-9886 A-28815575 QC-CR#555030 High Nexus 5, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9887 A-28804057 QC-CR#636633 High Nexus 5, Nexus 7 (2013) Jul 3, 2014 CVE-2014-9888 A-28803642 QC-CR#642735 High Nexus 5, Nexus 7 (2013) Aug 29, 2014 CVE-2014-9889 A-28803645 QC-CR#674712 High Nexus 5 Oct 31, 2014 CVE-2015-8937 A-28803962 QC-CR#770548 High Nexus 5, Nexus 6, Nexus 7 (2013) Mar 31, 2015 CVE-2015-8938 A-28804030 QC-CR#766022 High Nexus 6 Mar 31, 2015 CVE-2015-8939 A-28398884 QC-CR#779021 High Nexus 7 (2013) Apr 30, 2015 CVE-2015-8940 A-28813987 QC-CR#792367 High Nexus 6 Apr 30, 2015 CVE-2015-8941 A-28814502 QC-CR#792473 High Nexus 6, Nexus 7 (2013) May 29, 2015 CVE-2015-8942 A-28814652 QC-CR#803246 High Nexus 6 Jun 30, 2015 CVE-2015-8943 A-28815158 QC-CR#794217 QC-CR#836226 High Nexus 5 Sep 11, 2015 CVE-2014-9891 A-28749283 QC-CR#550061 Moderate Nexus 5 Mar 13, 2014 CVE-2014-9890 A-28770207 QC-CR#529177 Moderate Nexus 5, Nexus 7 (2013) Jun 2, 2014

Elevation of privilege vulnerability in kernel networking component

An elevation of privilege vulnerability in the kernel networking component could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Nexus devices Date reported CVE-2015-2686 A-28759139 Upstream kernel Critical All Nexus Mar 23, 2015 CVE-2016-3841 A-28746669 Upstream kernel Critical All Nexus Dec 3, 2015

Elevation of privilege vulnerability in Qualcomm GPU driver

An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Nexus devices Date reported CVE-2016-2504 A-28026365 QC-CR#1002974 Critical Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013) Apr 5, 2016 CVE-2016-3842 A-28377352 QC-CR#1002974 Critical Nexus 5X, Nexus 6, Nexus 6P Apr 25, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in Qualcomm performance component

An elevation of privilege vulnerability in the Qualcomm performance component could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

Note: There is also a platform-level update in this bulletin under A-29119870 that is designed to mitigate this class of vulnerabilities.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3843 A-28086229* QC-CR#1011071 Critical Nexus 5X, Nexus 6P Apr 7, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in kernel

An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3857 A-28522518* Critical Nexus 7 (2013) May 2, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in kernel memory system

An elevation of privilege vulnerability in the kernel memory system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2015-1593 A-29577822 Upstream kernel High Nexus Player Feb 13, 2015 CVE-2016-3672 A-28763575 Upstream kernel High Nexus Player Mar 25, 2016

Elevation of privilege vulnerability in kernel sound component

An elevation of privilege vulnerability in the kernel sound component could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-2544 A-28695438 Upstream kernel High All Nexus Jan 19, 2016 CVE-2016-2546 A-28694392 Upstream kernel High Pixel C Jan 19, 2016 CVE-2014-9904 A-28592007 Upstream kernel High Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player May 4, 2016

Elevation of privilege vulnerability in kernel file system

An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2012-6701 A-28939037 Upstream kernel High Nexus 5, Nexus 7 (2013) Mar 2, 2016

Elevation of privilege vulnerability in Mediaserver

An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not accessible to a third-party application.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3844 A-28299517* N-CVE-2016-3844 High Nexus 9, Pixel C Apr 19, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in kernel video driver

An elevation of privilege vulnerability in the kernel video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3845 A-28399876* High Nexus 5 Apr 20, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in Serial Peripheral Interface driver

An elevation of privilege vulnerability in the Serial Peripheral Interface driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3846 A-28817378* High Nexus 5X, Nexus 6P May 17, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in NVIDIA media driver

An elevation of privilege vulnerability in the NVIDIA media driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3847 A-28871433* N-CVE-2016-3847 High Nexus 9 May 19, 2016 CVE-2016-3848 A-28919417* N-CVE-2016-3848 High Nexus 9 May 19, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in ION driver

An elevation of privilege vulnerability in the ION driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3849 A-28939740 High Pixel C May 24, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in Qualcomm bootloader

An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3850 A-27917291 QC-CR#945164 High Nexus 5, Nexus 5X, Nexus 6P, Nexus 7 (2013) Mar 28, 2016

Elevation of privilege vulnerability in kernel performance subsystem

Elevation of privilege vulnerabilities in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because of the kernel attack surface available for attackers to exploit.

Note: This is a platform level update designed to mitigate a class of vulnerabilities such as CVE-2016-3843 (A-28086229).

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3843 A-29119870* High All Nexus 6.0, 6.1 Google internal

* A patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in LG Electronics bootloader

An elevation of privilege vulnerability in the LG Electronics bootloader could enable an attacker to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3851 A-29189941* High Nexus 5X Google internal

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Information disclosure vulnerability in Qualcomm components

The table below contains security vulnerabilities affecting Qualcomm components, potentially including the bootloader, camera driver, character driver, networking, sound driver and video driver.

The most severe of these issues is rated as High due to the possibility that a local malicious application could access data outside of its permission levels such as sensitive data without explicit user permission.

CVE References Severity Updated Nexus devices Date reported CVE-2014-9892 A-28770164 QC-CR#568717 High Nexus 5, Nexus 7 (2013) Jun 2, 2014 CVE-2015-8944 A-28814213 QC-CR#786116 High Nexus 6, Nexus 7 (2013) Apr 30, 2015 CVE-2014-9893 A-28747914 QC-CR#542223 Moderate Nexus 5 Mar 27, 2014 CVE-2014-9894 A-28749708 QC-CR#545736 Moderate Nexus 7 (2013) Mar 31, 2014 CVE-2014-9895 A-28750150 QC-CR#570757 Moderate Nexus 5, Nexus 7 (2013) Mar 31, 2014 CVE-2014-9896 A-28767593 QC-CR#551795 Moderate Nexus 5, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9897 A-28769856 QC-CR#563752 Moderate Nexus 5 Apr 30, 2014 CVE-2014-9898 A-28814690 QC-CR#554575 Moderate Nexus 5, Nexus 7 (2013) Apr 30, 2014 CVE-2014-9899 A-28803909 QC-CR#547910 Moderate Nexus 5 Jul 3, 2014 CVE-2014-9900 A-28803952 QC-CR#570754 Moderate Nexus 5, Nexus 7 (2013) Aug 8, 2014

Information disclosure vulnerability in kernel scheduler

An information disclosure vulnerability in the kernel scheduler could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission.

CVE References Severity Updated Nexus devices Date reported CVE-2014-9903 A-28731691 Upstream kernel High Nexus 5X, Nexus 6P Feb 21, 2014

Information disclosure vulnerability in MediaTek Wi-Fi driver (device specific)

An information disclosure vulnerability in the MediaTek Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3852 A-29141147* M-ALPS02751738 High Android One Apr 12, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Information disclosure vulnerability in USB driver

An information disclosure vulnerability in the USB driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission.

CVE References Severity Updated Nexus devices Date reported CVE-2016-4482 A-28619695 Upstream kernel High All Nexus May 3, 2016

Denial of service vulnerability in Qualcomm components

The table below contains security vulnerabilities affecting Qualcomm components, potentially including the Wi-Fi driver.

The most severe of these issues is rated as High due to the possibility that an attacker could cause a temporary remote denial of service resulting in a device hang or reboot.

CVE References Severity Updated Nexus devices Date reported CVE-2014-9901 A-28670333 QC-CR#548711 High Nexus 7 (2013) Mar 31, 2014

Elevation of privilege vulnerability in Google Play services

An elevation of privilege vulnerability in Google Play services could allow a local attacker to bypass the Factory Reset Protection and gain access to the device. This is rated as Moderate due to the possibility of bypassing Factory Reset Protection, which could lead to successfully resetting the device and erasing all its data.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-3853 A-26803208* Moderate All Nexus None May 4, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of privilege vulnerability in Framework APIs

An elevation of privilege vulnerability in the framework APIs could enable a pre-installed application to increase its intent filter priority when the application is being updated without the user being notified. This issue is rated as Moderate because it could be used to gain elevated capabilities without explicit user permission.

CVE References Severity Updated Nexus devices Updated AOSP versions Date reported CVE-2016-2497 A-27450489 Moderate All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

Information disclosure vulnerability in kernel networking component

An information disclosure vulnerability in the kernel networking component could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-4486 A-28620102 Upstream kernel Moderate All Nexus May 3, 2016

Information disclosure vulnerability in kernel sound component

An information disclosure vulnerability in the kernel sound component could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process.

CVE References Severity Updated Nexus devices Date reported CVE-2016-4569 A-28980557 Upstream kernel Moderate All Nexus May 9, 2016 CVE-2016-4578 A-28980217 Upstream kernel [2] Moderate All Nexus May 11, 2016

Vulnerabilities in Qualcomm components

The table below contains security vulnerabilities affecting Qualcomm components, potentially including the bootloader, camera driver, character driver, networking, sound driver, and video driver.

CVE References Severity Updated Nexus devices Date reported CVE-2016-3854 QC-CR#897326 High None Feb 2016 CVE-2016-3855 QC-CR#990824 High None May 2016 CVE-2016-2060 QC-CR#959631 Moderate None Apr 2016

Common Questions and Answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Security Patch Levels of 2016-08-01 or later address all issues associated with the 2016-08-01 security patch string level. Security Patch Levels of 2016-08-05 or later address all issues associated with the 2016-08-05 security patch string level. Refer to the help center for instructions on how to check the security patch level. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-08-01] or [ro.build.version.security_patch]:[2016-08-05].

2. Why does this bulletin have two security patch level strings?

This bulletin has two security patch level strings in order to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level string.

Devices that use the security patch level of August 5, 2016 or newer must include all applicable patches in this (and previous) security bulletins.

Devices that use the August 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. Devices that use August 1, 2016 security patch level may also include a subset of fixes associated with the August 5, 2016 security patch level.

3. How do I determine which Nexus devices are affected by each issue?

In the 2016-08-01 and 2016-08-05 security vulnerability details sections, each table has an Updated Nexus devices column that covers the range of affected Nexus devices updated for each issue. This column has a few options:

All Nexus devices : If an issue affects all Nexus devices, the table will have “All Nexus” in the Updated Nexus devices column. “All Nexus” encapsulates the following supported devices: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Android One, Nexus Player, and Pixel C.

: If an issue affects all Nexus devices, the table will have “All Nexus” in the Updated Nexus devices column. “All Nexus” encapsulates the following supported devices: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Android One, Nexus Player, and Pixel C. Some Nexus devices : If an issue doesn’t affect all Nexus devices, the affected Nexus devices are listed in the Updated Nexus devices column.

: If an issue doesn’t affect all Nexus devices, the affected Nexus devices are listed in the Updated Nexus devices column. No Nexus devices: If no Nexus devices are affected by the issue, the table will have “None” in the Updated Nexus devices column.

4. What do the entries in the references column map to?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. These prefixes map as follows:

Prefix Reference A- Android bug ID QC- Qualcomm reference number M- MediaTek reference number N- NVIDIA reference number

Revisions