FKIE_CVE-2016-0828

Vulnerability from fkie_nvd - Published: 2016-03-12 21:59 - Updated: 2025-04-12 10:46
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The BnGraphicBufferConsumer::onTransact function in libs/gui/IGraphicBufferConsumer.cpp in mediaserver in Android 5.x before 5.1.1 LMY49H and 6.x before 2016-03-01 does not initialize a certain slot variable, which allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, by triggering an ATTACH_BUFFER action, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26338113.
References
security@android.comhttp://source.android.com/security/bulletin/2016-03-01.htmlVendor Advisory
security@android.comhttp://www.securityfocus.com/bid/84261
security@android.comhttps://android.googlesource.com/platform/frameworks/native/+/dded8fdbb700d6cc498debc69a780915bc34d755
af854a3a-2127-422b-91ae-364da2661108http://source.android.com/security/bulletin/2016-03-01.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/84261
af854a3a-2127-422b-91ae-364da2661108https://android.googlesource.com/platform/frameworks/native/+/dded8fdbb700d6cc498debc69a780915bc34d755
Impacted products
Vendor Product Version
google android 5.0
google android 5.0.1
google android 5.0.2
google android 5.1
google android 5.1.0
google android 5.1.1
google android 6.0
google android 6.0.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C4E6353-B77A-464F-B7DE-932704003B33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "77125688-2CCA-4990-ABB2-551D47CB0CDD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9915371-C730-41F7-B86E-7E4DE0DF5385",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7A8EC00-266C-409B-AD43-18E8DFCD6FE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B846C63A-7261-481E-B4A4-0D8C79E0D8A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1D94CDD-DE7B-444E-A3AE-AE9C9A779374",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E70C6D8D-C9C3-4D92-8DFC-71F59E068295",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "691FA41B-C2CE-413F-ABB1-0B22CB322807",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The BnGraphicBufferConsumer::onTransact function in libs/gui/IGraphicBufferConsumer.cpp in mediaserver in Android 5.x before 5.1.1 LMY49H and 6.x before 2016-03-01 does not initialize a certain slot variable, which allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, by triggering an ATTACH_BUFFER action, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26338113."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n BnGraphicBufferConsumer::onTransact en libs/gui/IGraphicBufferConsumer.cpp en mediaserver en Android 5.x en versiones anteriores a 5.1.1 LMY49H y 6.x en versiones anteriores a 2016-03-01 no inicializa una variable slot determinada, lo que permite a atacantes obtener informaci\u00f3n sensible, y consecuentemente eludir un mecanismo de protecci\u00f3n no especificado, desencadenando una acci\u00f3n ATTACH_BUFFER, seg\u00fan lo demostrado mediante la obtenci\u00f3n de acceso Signature o SignatureOrSystem, tambi\u00e9n conocida como error interno 26338113."
    }
  ],
  "id": "CVE-2016-0828",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-03-12T21:59:12.947",
  "references": [
    {
      "source": "security@android.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://source.android.com/security/bulletin/2016-03-01.html"
    },
    {
      "source": "security@android.com",
      "url": "http://www.securityfocus.com/bid/84261"
    },
    {
      "source": "security@android.com",
      "url": "https://android.googlesource.com/platform/frameworks/native/+/dded8fdbb700d6cc498debc69a780915bc34d755"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://source.android.com/security/bulletin/2016-03-01.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/84261"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://android.googlesource.com/platform/frameworks/native/+/dded8fdbb700d6cc498debc69a780915bc34d755"
    }
  ],
  "sourceIdentifier": "security@android.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-254"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.