CVE-2016-2419

CRITICAL

Android 6.x - Information Disclosure via Uninitialized Key-Request Data Structure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-2419. PoCs published by codecat007.

AI-analyzed exploit summary This PoC demonstrates an information leak vulnerability in Android's media DRM service (CVE-2016-2419) by exploiting improper handling of Parcel data in the `GET_KEY_REQUEST` transaction, leaking uninitialized memory contents.

Description

media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26323455.

Exploits (1)

github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/securityPatch/CVE-2016-2419

This PoC demonstrates an information leak vulnerability in Android's media DRM service (CVE-2016-2419) by exploiting improper handling of Parcel data in the `GET_KEY_REQUEST` transaction, leaking uninitialized memory contents.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Android (versions affected by CVE-2016-2419)
No auth needed
Prerequisites: Access to the Android device's media.player service via Binder IPC
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0020
EPSS Percentile 42.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (2)
google/android 6.0
google/android 6.0.1
Published Apr 18, 2016
Tracked Since Feb 18, 2026