CVE-2016-2460

MEDIUM

Android < 4.4.4/5.0.2/5.1.1/2016-05-01 - Information Exposure via Uninitialized Data

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-2460. PoCs published by codecat007.

AI-analyzed exploit summary This PoC exploits CVE-2016-2460, an information leak vulnerability in Android's IGraphicBufferProducer. It demonstrates how an attacker can leak memory contents by manipulating the CONNECT transaction in the media recorder service.

Description

mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, related to IGraphicBufferConsumer.cpp and IGraphicBufferProducer.cpp, aka internal bug 27555981.

Exploits (1)

github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/securityPatch/CVE-2016-2460

This PoC exploits CVE-2016-2460, an information leak vulnerability in Android's IGraphicBufferProducer. It demonstrates how an attacker can leak memory contents by manipulating the CONNECT transaction in the media recorder service.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Android (versions affected by CVE-2016-2460)
No auth needed
Prerequisites: Access to the target device's media service · Ability to execute code on the target device
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.5
EPSS 0.0007
EPSS Percentile 22.3%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (20)
google/android 4.0
google/android 4.0.1
google/android 4.0.2
google/android 4.0.3
google/android 4.0.4
google/android 4.1
google/android 4.1.2
google/android 4.2
google/android 4.2.1
google/android 4.2.2
... and 10 more
Published May 09, 2016
Tracked Since Feb 18, 2026