CVE-2016-6722 : An information disclosure vulnerability in libstagefright in Mediaserver in Andr

An information disclosure vulnerability in libstagefright in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Android ID: A-31091777.

Published 2016-12-13 19:59:08

Updated 2025-04-12 10:46:41

Source Android (associated with Google Inc. or Open Handset Alliance)

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2016-6722

Google » Android
Versions from including (>=) 5.0 and before (<) 5.0.2
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Matching versions
Google » Android
Versions from including (>=) 4.0 and before (<) 4.4.4
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Matching versions
Google » Android
Versions from including (>=) 5.1 and before (<) 5.1.1
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Matching versions
Google » Android
Versions from including (>=) 6.0 and up to, including, (<=) 6.0.1
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 7.0
cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-6722

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 23 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-6722

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2016-6722

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-6722

https://android.googlesource.com/platform/frameworks/av/+/89c03b3b9ff74a507a8b8334c50b08b334483556

89c03b3b9ff74a507a8b8334c50b08b334483556 - platform/frameworks/av - Git at Google
Issue Tracking;Patch
http://www.securityfocus.com/bid/94143

Google Android Mediaserver Multiple Information Disclosure Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://source.android.com/security/bulletin/2016-11-01.html

Android Security Bulletin—November 2016 | Android Open Source Project
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-6722

Products affected by CVE-2016-6722

Exploit prediction scoring system (EPSS) score for CVE-2016-6722

CVSS scores for CVE-2016-6722

CWE ids for CVE-2016-6722

References for CVE-2016-6722