CVE-2016-2486 : mp3dec/SoftMP3.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4,

mp3dec/SoftMP3.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 does not validate the relationship between allocated memory and the frame size, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 27793371.

Published 2016-06-13 01:59:26

Updated 2025-04-12 10:46:41

Source Android (associated with Google Inc. or Open Handset Alliance)

View at NVD, CVE.org

Products affected by CVE-2016-2486

Google » Android » Version: 4.0.1
cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0
cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0.2
cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.1
cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0.4
cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0.3
cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.2
cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 6.0.1
cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 6.0
cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.1.2
cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.2.1
cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.3
cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.2.2
cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.3.1
cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 5.0
cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 5.0.1
cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 5.1
cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.1.1
cpe:2.3:o:google:android:4.1.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-2486

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 10 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-2486

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-2486

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2486

http://source.android.com/security/bulletin/2016-06-01.html

Android Security Bulletin—June 2016 | Android Open Source Project
Vendor Advisory

CVEs referencing this url
https://android.googlesource.com/platform/frameworks/av/+/ad40e57890f81a3cf436c5f06da66396010bd9e5

ad40e57890f81a3cf436c5f06da66396010bd9e5 - platform/frameworks/av - Git at Google

Jump to

Vulnerability Details : CVE-2016-2486

Products affected by CVE-2016-2486

Exploit prediction scoring system (EPSS) score for CVE-2016-2486

CVSS scores for CVE-2016-2486

CWE ids for CVE-2016-2486

References for CVE-2016-2486