CVE-2016-2419

CRITICAL

Google Android - Access Control

Title source: rule

Description

media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26323455.

Exploits (1)

github WORKING POC 8 stars

by codecat007 · cpoc

https://github.com/codecat007/cvehub/tree/main/android/securityPatch/CVE-2016-2419

View Code ZIP pw:eip

References (2)

[Patch] https://android.googlesource.com/platform/frameworks/av/+/5a856f2092f7086aa0fea9ae06b9255befcdcd34

[Vendor Advisory] http://source.android.com/security/bulletin/2016-04-02.html

Scores

CVSS v3 9.8

EPSS 0.0020

EPSS Percentile 41.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-264

Status draft

Affected Products (2)

google/android

google/android

Timeline

Published Apr 18, 2016

Tracked Since Feb 18, 2026