Vulnerabilities > Google > High

DATE CVE VULNERABILITY TITLE RISK
2016-04-18 CVE-2016-1651 Information Exposure vulnerability in multiple products
fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 50.0.2661.75, does not properly implement the sycc420_to_rgb and sycc422_to_rgb functions, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted JPEG 2000 data in a PDF document.
network
low complexity
google debian suse opensuse CWE-200
8.1
2016-04-18 CVE-2016-2422 Permissions, Privileges, and Access Controls vulnerability in Google Android
Wi-Fi in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not prevent use of a Wi-Fi CA certificate in an unrelated CA role, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324357.
local
low complexity
google CWE-264
7.8
2016-04-18 CVE-2016-2420 Permissions, Privileges, and Access Controls vulnerability in Google Android
rootdir/init.rc in Android 4.x before 4.4.4 does not ensure that the /data/tombstones directory exists for the Debuggerd component, which allows attackers to gain privileges via a crafted application, aka internal bug 26403620.
local
low complexity
google CWE-264
7.8
2016-04-18 CVE-2016-2413 Permissions, Privileges, and Access Controls vulnerability in Google Android
media/libmedia/IOMX.cpp in mediaserver in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a handle pointer, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26403627.
local
low complexity
google CWE-264
7.8
2016-04-18 CVE-2016-2412 Permissions, Privileges, and Access Controls vulnerability in Google Android
include/core/SkPostConfig.h in Skia, as used in System_server in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01, mishandles certain crashes, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26593930.
local
low complexity
google CWE-264
7.8
2016-04-18 CVE-2016-2410 Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1
A Qualcomm video kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 26291677.
local
high complexity
google CWE-264
7.4
2016-04-18 CVE-2016-2409 Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1
A Texas Instruments (TI) haptic kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 25981545.
network
high complexity
google CWE-264
8.1
2016-04-18 CVE-2016-0850 Permissions, Privileges, and Access Controls vulnerability in Google Android
The PORCHE_PAIRING_CONFLICT feature in Bluetooth in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to bypass intended pairing restrictions via a crafted device, aka internal bug 26551752.
low complexity
google CWE-264
8.8
2016-04-18 CVE-2016-0849 Numeric Errors vulnerability in Google Android
Multiple integer overflows in minzip/SysUtil.c in the Recovery Procedure in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allow attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26960931.
local
low complexity
google CWE-189
8.4
2016-04-18 CVE-2016-0848 Race Condition vulnerability in Google Android
Race condition in Download Manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to bypass private-storage file-access restrictions via a crafted application that changes a symlink target, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26211054.
local
low complexity
google CWE-362
8.4