Vulnerabilities > Google

DATE CVE VULNERABILITY TITLE RISK
2016-04-18 CVE-2016-2423 Permissions, Privileges, and Access Controls vulnerability in Google Android
server/telecom/CallsManager.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider whether a device is provisioned, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26303187.
low complexity
google CWE-264
6.1
2016-04-18 CVE-2016-2422 Permissions, Privileges, and Access Controls vulnerability in Google Android
Wi-Fi in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not prevent use of a Wi-Fi CA certificate in an unrelated CA role, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324357.
local
low complexity
google CWE-264
7.8
2016-04-18 CVE-2016-2421 Permissions, Privileges, and Access Controls vulnerability in Google Android
Setup Wizard in Android 5.1.x before 5.1.1 and 6.x before 2016-04-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26154410.
low complexity
google CWE-264
6.1
2016-04-18 CVE-2016-2420 Permissions, Privileges, and Access Controls vulnerability in Google Android
rootdir/init.rc in Android 4.x before 4.4.4 does not ensure that the /data/tombstones directory exists for the Debuggerd component, which allows attackers to gain privileges via a crafted application, aka internal bug 26403620.
local
low complexity
google CWE-264
7.8
2016-04-18 CVE-2016-2419 Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1
media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26323455.
network
low complexity
google CWE-264
critical
9.8
2016-04-18 CVE-2016-2418 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1
media/libmedia/IOMX.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize certain metadata buffer pointers, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324358.
network
low complexity
google CWE-119
critical
9.8
2016-04-18 CVE-2016-2417 Permissions, Privileges, and Access Controls vulnerability in Google Android
media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a parameter data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26914474.
network
low complexity
google CWE-264
critical
9.8
2016-04-18 CVE-2016-2416 Permissions, Privileges, and Access Controls vulnerability in Google Android
libs/gui/BufferQueueConsumer.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for the android.permission.DUMP permission, which allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via a dump request, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 27046057.
network
low complexity
google CWE-264
critical
9.8
2016-04-18 CVE-2016-2415 Information Exposure vulnerability in Google Android
exchange/eas/EasAutoDiscover.java in the Autodiscover implementation in Exchange ActiveSync in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to obtain sensitive information via a crafted application that triggers a spoofed response to a GET request, aka internal bug 26488455.
local
low complexity
google CWE-200
5.5
2016-04-18 CVE-2016-2414 Improper Input Validation vulnerability in Google Android
The Minikin library in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider negative size values in font data, which allows remote attackers to cause a denial of service (memory corruption and reboot loop) via a crafted font, aka internal bug 26413177.
local
low complexity
google CWE-20
6.2