CVE-2016-3749

HIGH

Android 6.x - Unauthenticated Screen-Lock Password Modification via Crafted Application

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3749. PoCs published by nirdev.

AI-analyzed exploit summary This PoC exploits CVE-2016-3749, a vulnerability in Android's LockSettingsService that allows changing the device password without proper authentication. The app uses the 'service call' command to interact with the ILockSettings interface, bypassing the need for the correct old password.

Description

server/LockSettingsService.java in LockSettingsService in Android 6.x before 2016-07-01 allows attackers to modify the screen-lock password or pattern via a crafted application, aka internal bug 28163930.

Exploits (1)

nomisec WORKING POC
by nirdev · poc
https://github.com/nirdev/CVE-2016-3749-PoC

This PoC exploits CVE-2016-3749, a vulnerability in Android's LockSettingsService that allows changing the device password without proper authentication. The app uses the 'service call' command to interact with the ILockSettings interface, bypassing the need for the correct old password.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Android 6.0.0 (Marshmallow)
No auth needed
Prerequisites: Physical access to the device or ADB access · Android 6.0.0 or vulnerable version
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Scores

CVSS v3 8.4
EPSS 0.0027
EPSS Percentile 18.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-255
Status published
Products (2)
google/android 6.0
google/android 6.0.1
Published Jul 11, 2016
Tracked Since Feb 18, 2026