CVE-2016-0846

HIGH

Android <4.4.4, <5.0.2, <5.1.1, <2016-04-01 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-0846. PoCs published by Google Security Research, secmob, b0b0505.

AI-analyzed exploit summary This exploit targets a vulnerability in Android's IMemory interface (CVE-2016-0846), allowing arbitrary memory access due to lack of bounds checking between IMemory and IMemoryHeap. The PoC demonstrates a crash in the media server by exploiting ICrypto::decrypt.

Description

libs/binder/IMemory.cpp in the IMemory Native Interface in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider the heap size, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26877992.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdosandroid
https://www.exploit-db.com/exploits/39686

This exploit targets a vulnerability in Android's IMemory interface (CVE-2016-0846), allowing arbitrary memory access due to lack of bounds checking between IMemory and IMemoryHeap. The PoC demonstrates a crash in the media server by exploiting ICrypto::decrypt.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android 6.0.1 (January patches)
No auth needed
Prerequisites: Local access to the Android device · Ability to interact with Binder IPC
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 36 stars
by secmob · poc
https://github.com/secmob/CVE-2016-0846

This repository contains a functional exploit for CVE-2016-0846, demonstrating arbitrary memory read/write via an IMemory bug in Android's media framework. The PoC hooks the BnMemory::onTransact function to manipulate memory offsets and sizes, leading to out-of-bounds access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Android media framework (ClearKey DRM)
No auth needed
Prerequisites: Android device with vulnerable media framework · Access to execute native code
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by b0b0505 · poc
https://github.com/b0b0505/CVE-2016-0846-PoC

The repository contains a functional PoC for CVE-2016-0846, a vulnerability in Android's mediaserver component. The exploit leverages a fake memory object to trigger a use-after-free condition during cryptographic operations, potentially leading to arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android mediaserver (versions affected by CVE-2016-0846)
No auth needed
Prerequisites: Access to a vulnerable Android device · Ability to execute the compiled binary on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39686/
Patch, Vendor Advisory x_refsource_confirm
http://source.android.com/security/bulletin/2016-04-02.html

Scores

CVSS v3 8.4
EPSS 0.0118
EPSS Percentile 63.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (22)
google/android 4.0
google/android 4.0.1
google/android 4.0.2
google/android 4.0.3
google/android 4.0.4
google/android 4.1
google/android 4.1.2
google/android 4.2
google/android 4.2.1
google/android 4.2.2
... and 12 more
Published Apr 18, 2016
Tracked Since Feb 18, 2026