Android Security Bulletin—November 2016

Published November 07, 2016 | Updated December 21, 2016

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the Google Developer site. Security patch levels of November 06, 2016 or later address all of these issues. Refer to the Pixel and Nexus update schedule to learn how to check a device's security patch level.

Partners were notified of the issues described in the bulletin on October 20, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google service mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform.

We encourage all customers to accept these updates to their devices.

Announcements

  • With the introduction of the Pixel and Pixel XL devices, the term for all devices supported by Google is "Google devices" instead of "Nexus devices."
  • This bulletin has three security patch levels to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices. See Common questions and answers for additional information:
    • 2016-11-01: Partial security patch level. This security patch level indicates that all issues associated with 2016-11-01 (and all previous security patch level) are addressed.
    • 2016-11-05: Complete security patch level. This security patch level indicates that all issues associated with 2016-11-01 and 2016-11-05 (and all previous security patch levels) are addressed.
    • Supplemental security patch levels

      Supplemental security patch levels are provided to identify devices that contain fixes for issues that were publicly disclosed after the patch level was defined. Addressing these recently disclosed vulnerabilities is not required until the 2016-12-01 security patch level.

      • 2016-11-06: This security patch level indicates that the device has addressed all issues associated with 2016-11-05 and CVE-2016-5195, which was publicly disclosed on October 19, 2016.
  • Supported Google devices will receive a single OTA update with the November 05, 2016 security patch level.

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.

Acknowledgements

We would like to thank these researchers for their contributions:

  • Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security Team: CVE-2016-6722
  • Andrei Kapishnikov and Miriam Gershenson of Google: CVE-2016-6703
  • Ao Wang (@ArayzSegment) and Zinuo Han of PKAV, Silence Information Technology: CVE-2016-6700, CVE-2016-6702
  • Askyshang of Security Platform Department, Tencent: CVE-2016-6713
  • Billy Lau of Android Security: CVE-2016-6737
  • Constantinos Patsakis and Efthimios Alepis of University of Piraeus: CVE-2016-6715
  • dragonltx of Alibaba mobile security team: CVE-2016-6714
  • Gal Beniamini of Project Zero: CVE-2016-6707, CVE-2016-6717
  • Gengjia Chen (@chengjia4574) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-6725, CVE-2016-6738, CVE-2016-6740, CVE-2016-6741, CVE-2016-6742, CVE-2016-6744, CVE-2016-6745, CVE-2016-3906
  • Guang Gong (龚广) (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-6754
  • Jianqiang Zhao (@jianqiangzhao) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-6739, CVE-2016-3904, CVE-2016-3907, CVE-2016-6698
  • Marco Grassi (@marcograss) of Keen Lab of Tencent (@keen_lab): CVE-2016-6828
  • Mark Brand of Project Zero: CVE-2016-6706
  • Mark Renouf of Google: CVE-2016-6724
  • Michał Bednarski (github.com/michalbednarski): CVE-2016-6710
  • Min Chong of Android Security: CVE-2016-6743
  • Peter Pi (@heisecode) of Trend Micro: CVE-2016-6721
  • Qidan He (何淇丹) (@flanker_hqd) and Gengming Liu (刘耕铭) (@dmxcsnsbh) of KeenLab, Tencent: CVE-2016-6705
  • Robin Lee of Google: CVE-2016-6708
  • Scott Bauer (@ScottyBauer1): CVE-2016-6751
  • Sergey Bobrov (@Black2Fan) of Kaspersky Lab: CVE-2016-6716
  • Seven Shen (@lingtongshen) of Trend Micro Mobile Threat Research Team: CVE-2016-6748, CVE-2016-6749, CVE-2016-6750, CVE-2016-6753
  • Victor van der Veen, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida of Vrije Universiteit Amsterdam and Yanick Fratantonio, Martina Lindorfer, and Giovanni Vigna of University of California, Santa Barbara: CVE-2016-6728
  • Weichao Sun (@sunblate) of Alibaba Inc: CVE-2016-6712, CVE-2016-6699, CVE-2016-6711
  • Wenke Dou (vancouverdou@gmail.com), Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-6720
  • Wish Wu (吴潍浠) (@wish_wu) of Trend Micro Inc.: CVE-2016-6704
  • Yakov Shafranovich of Nightwatch Cybersecurity: CVE-2016-6723
  • Yuan-Tsung Lo, Yao Jun, Tong Lin, Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-6730, CVE-2016-6732, CVE-2016-6734, CVE-2016-6736
  • Yuan-Tsung Lo, Yao Jun, Xiaodong Wang, Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-6731, CVE-2016-6733, CVE-2016-6735, CVE-2016-6746

Additional thanks to Zach Riggle of Android Security for his contributions to several issues in this bulletin.

2016-11-01 security patch level—Vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-11-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Remote code execution vulnerability in Mediaserver

A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6699 A-31373622 Critical All 7.0 Jul 27, 2016

Elevation of privilege vulnerability in libzipfile

An elevation of privilege vulnerability in libzipfile could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6700 A-30916186 Critical None* 4.4.4, 5.0.2, 5.1.1 Aug 17, 2016

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Remote code execution vulnerability in Skia

A remote code execution vulnerability in libskia could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as High due to the possibility of remote code execution within the context of the gallery process.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6701 A-30190637 High All 7.0 Google internal

Remote code execution vulnerability in libjpeg

A remote code execution vulnerability in libjpeg could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses libjpeg.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6702 A-30259087 High None* 4.4.4, 5.0.2, 5.1.1 Jul 19, 2016

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Remote code execution vulnerability in Android runtime

A remote code execution vulnerability in an Android runtime library could enable an attacker using a specially crafted payload to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses the Android runtime.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6703 A-30765246 High None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Elevation of privilege vulnerability in Mediaserver

An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6704 A-30229821 [2] [3] High All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Jul 19, 2016
CVE-2016-6705 A-30907212 [2] High All 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Aug 16, 2016
CVE-2016-6706 A-31385713 High All 7.0 Sep 8, 2016

Elevation of privilege vulnerability in System Server

An elevation of privilege vulnerability in System Server could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6707 A-31350622 High All 6.0, 6.0.1, 7.0 Sep 7, 2016

Elevation of privilege vulnerability in System UI

An elevation of privilege in the System UI could enable a local malicious user to bypass the security prompt of a work profile in Multi-Window mode. This issue is rated as High because it is a local bypass of user interaction requirements for any developer or security setting modifications.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6708 A-30693465 High All 7.0 Google internal

Information disclosure vulnerability in Conscrypt

An information disclosure vulnerability in Conscrypt could enable an attacker to gain access to sensitive information if a legacy encryption API is used by an application. This issue is rated as High because it could be used to access data without permission.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6709 A-31081987 High All 6.0, 6.0.1, 7.0 Oct 9, 2015

Information disclosure vulnerability in download manager

An information disclosure vulnerability in the download manager could enable a local malicious application to bypass operating system protections that isolate application data from other applications. This issue is rated as High because it could be used to gain access to data that the application does not have access to.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6710 A-30537115 [2] High All 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Jul 30, 2016

Denial of service vulnerability in Bluetooth

A denial of service vulnerability in Bluetooth could enable a proximate attacker to block Bluetooth access to an affected device. This issue is rated as High due to the possibility of remote denial of service.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2014-9908 A-28672558 High None* 4.4.4, 5.0.2, 5.1.1 May 5, 2014

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Denial of service vulnerability in OpenJDK

A remote denial of service vulnerability in OpenJDK could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2015-0410 A-30703445 High All 7.0 Jan 16, 2015

Denial of service vulnerability in Mediaserver

A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6711 A-30593765 High None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Aug 1, 2016
CVE-2016-6712 A-30593752 High None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Aug 1, 2016
CVE-2016-6713 A-30822755 High All 6.0, 6.0.1, 7.0 Aug 11, 2016
CVE-2016-6714 A-31092462 High All 6.0, 6.0.1, 7.0 Aug 22, 2016

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Elevation of privilege vulnerability in Framework APIs

An elevation of privilege vulnerability in the Framework APIs could allow a local malicious application to record audio without the user's permission. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6715 A-29833954 Moderate All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Jun 28, 2016

Elevation of privilege vulnerability in AOSP Launcher

An elevation of privilege vulnerability in the AOSP Launcher could allow a local malicious application to create shortcuts that have elevated privileges without the user's consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6716 A-30778130 Moderate All 7.0 Aug 5, 2016

Elevation of privilege vulnerability in Mediaserver

An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires exploitation of a separate vulnerability.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6717 A-31350239 Moderate All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Sep 7, 2016

Elevation of privilege vulnerability in Account Manager Service

An elevation of privilege vulnerability in the Account Manager Service could enable a local malicious application to retrieve sensitive information without user interaction. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission.)

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6718 A-30455516 Moderate All 7.0 Google internal

Elevation of privilege vulnerability in Bluetooth

An elevation of privilege vulnerability in the Bluetooth component could enable a local malicious application to pair with any Bluetooth device without user consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6719 A-29043989 [2] Moderate All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Google internal

Information disclosure vulnerability in Mediaserver

An information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6720 A-29422020 [2] [3] [4] Moderate All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Jun 15, 2016
CVE-2016-6721 A-30875060 Moderate All 6.0, 6.0.1, 7.0 Aug 13, 2016
CVE-2016-6722 A-31091777 Moderate All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Aug 23, 2016

Denial of service vulnerability in Proxy Auto Config

A denial of service vulnerability in Proxy Auto Config could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as Moderate because it requires an uncommon device configuration.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6723 A-30100884 [2] Moderate All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Jul 11, 2016

Denial of service vulnerability in Input Manager Service

A denial of service vulnerability in the Input Manager Service could enable a local malicious application to cause the device to continually reboot. This issue is rated as Moderate because it is a temporary denial of service that requires a factory reset to fix.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6724 A-30568284 Moderate All 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Google internal

2016-11-05 security patch level—Vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-11-05 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Remote code execution vulnerability in Qualcomm crypto driver

A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel.

CVE References Severity Updated Google devices Date reported
CVE-2016-6725 A-30515053
QC-CR#1050970
Critical Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Jul 25, 2016

Elevation of privilege vulnerability in kernel file system

An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2015-8961 A-30952474
Upstream kernel
Critical Pixel, Pixel XL Oct 18, 2015
CVE-2016-7911 A-30946378
Upstream kernel
Critical Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Jul 01, 2016
CVE-2016-7910 A-30942273
Upstream kernel
Critical Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Jul 29, 2016

Elevation of privilege vulnerability in kernel SCSI driver

An elevation of privilege vulnerability in the kernel SCSI driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2015-8962 A-30951599
Upstream kernel
Critical Pixel, Pixel XL Oct 30, 2015

Elevation of privilege vulnerability in kernel media driver

An elevation of privilege vulnerability in the kernel media driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-7913 A-30946097
Upstream kernel
Critical Nexus 6P, Android One, Nexus Player, Pixel, Pixel XL Jan 28, 2016

Elevation of privilege vulnerability in kernel USB driver

An elevation of privilege vulnerability in the kernel USB driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-7912 A-30950866
Upstream kernel
Critical Pixel C, Pixel, Pixel XL Apr 14, 2016

Elevation of privilege vulnerability in kernel ION subsystem

An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-6728 A-30400942* Critical Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, Android One Jul 25, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Elevation of privilege vulnerability in Qualcomm bootloader

An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-6729 A-30977990*
QC-CR#977684
Critical Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Jul 25, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Elevation of privilege vulnerability in NVIDIA GPU driver

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-6730 A-30904789*
N-CVE-2016-6730
Critical Pixel C Aug 16, 2016
CVE-2016-6731 A-30906023*
N-CVE-2016-6731
Critical Pixel C Aug 16, 2016
CVE-2016-6732 A-30906599*
N-CVE-2016-6732
Critical Pixel C Aug 16, 2016
CVE-2016-6733 A-30906694*
N-CVE-2016-6733
Critical Pixel C Aug 16, 2016
CVE-2016-6734 A-30907120*
N-CVE-2016-6734
Critical Pixel C Aug 16, 2016
CVE-2016-6735 A-30907701*
N-CVE-2016-6735
Critical Pixel C Aug 16, 2016
CVE-2016-6736 A-30953284*
N-CVE-2016-6736
Critical Pixel C Aug 18, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Elevation of privilege vulnerability in kernel networking subsystem

An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-6828 A-31183296
Upstream kernel
Critical Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Aug 18, 2016

Elevation of privilege vulnerability in kernel sound subsystem

An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-2184 A-30952477
Upstream kernel
Critical Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Mar 31, 2016

Elevation of privilege vulnerability in kernel ION subsystem

An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE References Severity Updated Google devices Date reported
CVE-2016-6737 A-30928456* Critical Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Google internal

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Vulnerabilities in Qualcomm components

The table below contains security vulnerabilities affecting Qualcomm components and are described in further detail in Qualcomm AMSS June 2016 security bulletin and Security Alert 80-NV606-17.

CVE References Severity* Updated Google devices Date reported
CVE-2016-6727 A-31092400** Critical Android One Qualcomm internal
CVE-2016-6726 A-30775830** High Nexus 6, Android One Qualcomm internal

* The severity rating for these vulnerabilities was determined by the vendor.

** The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Remote code execution vulnerability in Expat

The table below contains security vulnerabilities affecting the Expat library. The most severe of these issues is an elevation of privilege vulnerability in the Expat XML parser, which could enable an attacker using a specially crafted file to execute arbitrary code in an unprivileged process. This issue is rated as High due to the possibility of arbitrary code execution in an application that uses Expat.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-0718 A-28698301 High None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 May 10, 2016
CVE-2012-6702 A-29149404 Moderate None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 06, 2016
CVE-2016-5300 A-29149404 Moderate None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jun 04, 2016
CVE-2015-1283 A-27818751 Low None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jul 24, 2015

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Remote code execution vulnerability in Webview

A remote code execution vulnerability in Webview could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2016-6754 A-31217937 High None* 5.0.2, 5.1.1, 6.0, 6.0.1 Aug 23, 2016

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Remote code execution vulnerability in Freetype

A remote code execution vulnerability in Freetype could enable a local malicious application to load a specially crafted font to cause memory corruption in an unprivileged process. This issue is rated as High due to the possibility of remote code execution in applications that use Freetype.

CVE References Severity Updated Google devices Updated AOSP versions Date reported
CVE-2014-9675 A-24296662 [2] High None* 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google internal

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

Elevation of privilege vulnerability in kernel performance subsystem

An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Google devices Date reported
CVE-2015-8963 A-30952077
Upstream kernel
High Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Dec 15, 2015

Elevation of privilege vulnerability in kernel system-call auditing subsystem

An elevation of privilege vulnerability in the kernel system-call auditing subsystem could enable a local malicious application to disrupt system-call auditing in the kernel. This issue is rated as High because it is a general bypass for a kernel-level defense in depth or exploit mitigation technology.

CVE References Severity Updated Google devices Date reported
CVE-2016-6136 A-30956807
Upstream kernel
High Android One, Pixel C, Nexus Player Jul 1, 2016

Elevation of privilege vulnerability in Qualcomm crypto engine driver

An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Google devices Date reported
CVE-2016-6738 A-30034511
QC-CR#1050538
High Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Jul 7, 2016

Elevation of privilege vulnerability in Qualcomm camera driver

An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Google devices Date reported
CVE-2016-6739 A-30074605*
QC-CR#1049826
High Nexus 5X, Nexus 6P, Pixel, Pixel XL Jul 11, 2016
CVE-2016-6740 A-30143904
QC-CR#1056307
High Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Jul 12, 2016
CVE-2016-6741 A-30559423
QC-CR#1060554
High Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Jul 28, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Elevation of privilege vulnerability in Qualcomm bus driver

An elevation of privilege vulnerability in the Qualcomm bus driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Google devices Date reported
CVE-2016-3904 A-30311977
QC-CR#1050455
High Nexus 5X, Nexus 6P, Pixel, Pixel XL Jul 22, 2016

Elevation of privilege vulnerability in Synaptics touchscreen driver

An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.

CVE References Severity Updated Google devices Date reported
CVE-2016-6742 A-30799828* High Nexus 5X, Android One Aug 9, 2016
CVE-2016-6744 A-30970485* High Nexus 5X Aug 19, 2016
CVE-2016-6745 A-31252388* High Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL Sep 1, 2016
CVE-2016-6743 A-30937462* High Nexus 9, Android One Google internal

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Information disclosure vulnerability in kernel components

An information disclosure vulnerability in kernel components, including the human interface device driver, file system, and Teletype driver, could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission.

CVE References Severity Updated Google devices Date reported
CVE-2015-8964 A-30951112
Upstream kernel
High Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Nov 27, 2015
CVE-2016-7915 A-30951261
Upstream kernel
High Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL Jan 19, 2016
CVE-2016-7914 A-30513364
Upstream kernel
High Pixel C, Pixel, Pixel XL Apr 06, 2016
CVE-2016-7916 A-30951939
Upstream kernel
High Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL May 05, 2016

Information disclosure vulnerability in NVIDIA GPU driver

An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission.

CVE References Severity Updated Google devices Date reported
CVE-2016-6746 A-30955105*
N-CVE-2016-6746
High Pixel C Aug 18, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Denial of service vulnerability in Mediaserver

A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.

CVE References Severity Updated Google devices Date reported
CVE-2016-6747 A-31244612*
N-CVE-2016-6747
High Nexus 9 Google internal

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Information disclosure vulnerability in kernel components

An information disclosure vulnerability in kernel components, including the process-grouping subsystem and the networking subsystem, could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process.

CVE References Severity Updated Google devices Date reported
CVE-2016-7917 A-30947055
Upstream kernel
Moderate Pixel C, Pixel, Pixel XL Feb 02, 2016
CVE-2016-6753 A-30149174* Moderate Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel C, Nexus Player, Pixel, Pixel XL Jul 13, 2016

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

Information disclosure vulnerability in Qualcomm components

An information disclosure vulnerability in Qualcomm components including the GPU driver, power driver, SMSM Point-to-Point driver, and sound driver, could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process.

CVE References Severity Updated Google devices Date reported
CVE-2016-6748 A-30076504
QC-CR#987018
Moderate Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Jul 12, 2016
CVE-2016-6749 A-30228438
QC-CR#1052818
Moderate Nexus 5X, Nexus 6P, Pixel, Pixel XL Jul 12, 2016
CVE-2016-6750 A-30312054
QC-CR#1052825
Moderate Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Jul 21, 2016
CVE-2016-3906 A-30445973
QC-CR#1054344
Moderate Nexus 5X, Nexus 6P Jul 27, 2016
CVE-2016-3907 A-30593266
QC-CR#1054352
Moderate Nexus 5X, Nexus 6P, Pixel, Pixel XL Aug 2, 2016
CVE-2016-6698 A-30741851
QC-CR#1058826
Moderate Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL Aug 2, 2016
CVE-2016-6751 A-30902162*
QC-CR#1062271
Moderate Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Aug 15, 2016
CVE-2016-6752 A-31498159
QC-CR#987051
Moderate Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL Google internal

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the Google Developer site.

2016-11-06 security patch level—Vulnerability details

In the sections below, we provide details for each of the security vulnerabilities listed in the 2016-11-06 security patch level—Vulnerability summary above. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Elevation of privilege vulnerability in kernel memory subsystem

An elevation of privilege vulnerability in the kernel memory subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

Note: A security patch level of 2016-11-06 indicates that this issue, as well as all issues associated with 2016-11-01 and 2016-11-05 are addressed.

CVE References Severity Updated kernel versions Date reported
CVE-2016-5195 A-32141528
Upstream kernel [2]
Critical 3.10, 3.18 Oct 12, 2016

Common Questions and Answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device’s security patch level, read the instructions on the Pixel and Nexus update schedule.

  • Security patch levels of 2016-11-01 or later address all issues associated with the 2016-11-01 security patch level.
  • Security patch levels of 2016-11-05 or later address all issues associated with the 2016-11-05 security patch level and all previous patch levels.
  • Security patch levels of 2016-11-06 or later address all issues associated with the 2016-11-06 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch level string to:

  • [ro.build.version.security_patch]:[2016-11-01]
  • [ro.build.version.security_patch]:[2016-11-05]
  • [ro.build.version.security_patch]:[2016-11-06].

2. Why does this bulletin have three security patch levels?

This bulletin has three security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

  • Devices that use the November 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
  • Devices that use the security patch level of November 5, 2016 or newer must include all applicable patches in this (and previous) security bulletins.
  • Devices that use the security patch level of November 6, 2016 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

3. How do I determine which Google devices are affected by each issue?

In the 2016-11-01, 2016-11-05, and 2016-11-06 security vulnerability details sections, each table has an Updated Google devices column that covers the range of affected Google devices updated for each issue. This column has a few options:

  • All Google devices: If an issue affects all Nexus and Pixel devices, the table will have "All" in the Updated Google devices column. "All" encapsulates the following supported devices: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Android One, Nexus Player, Pixel C, Pixel, and Pixel XL.
  • Some Google devices: If an issue doesn't affect all Google devices, the affected Google devices are listed in the Updated Google devices column.
  • No Google devices: If no Google devices running Android 7.0 are affected by the issue, the table will have "None" in the Updated Google devices column.

4. What do the entries in the references column map to?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. These prefixes map as follows:

Prefix Reference
A- Android bug ID
QC- Qualcomm reference number
M- MediaTek reference number
N- NVIDIA reference number
B- Broadcom reference number

Revisions

  • November 07, 2016: Bulletin published.
  • November 08: Bulletin revised to include AOSP links and updated description for CVE-2016-6709.
  • November 17: Bulletin revised to include attribution for CVE-2016-6828.
  • December 21: Updated researcher credit.