CVE-2016-2417
critical-risk
Published 2016-04-18
media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a parameter data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26914474.
Do I need to act?
!
13.2% chance of exploitation in next 30 days
EPSS score — higher than 87% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (6)
Vendor Advisory
http://source.android.com/security/bulletin/2016-04-02.html
Vendor Advisory
http://source.android.com/security/bulletin/2016-04-02.html
71
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
19/34 · Moderate
Exposure
20/34 · Moderate