CVE-2016-3867

HIGH

Qualcomm IPA Driver - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-3867. PoCs published by ScottyBauer, codecat007.

AI-analyzed exploit summary This PoC exploits a race condition in the Android kernel's IPA driver (CVE-2016-3867) by manipulating the `num_hdrs` field during an ioctl operation, leading to a use-after-free or memory corruption. The exploit uses multithreading to trigger the race condition between modifying the header count and the ioctl call.

Description

The Qualcomm IPA driver in Android before 2016-09-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28919863 and Qualcomm internal bug CR1037897.

Exploits (2)

github WORKING POC 682 stars
by ScottyBauer · cpoc
https://github.com/ScottyBauer/Android_Kernel_CVE_POCs/tree/master/CVE-2016-3867.c

This PoC exploits a race condition in the Android kernel's IPA driver (CVE-2016-3867) by manipulating the `num_hdrs` field during an ioctl operation, leading to a use-after-free or memory corruption. The exploit uses multithreading to trigger the race condition between modifying the header count and the ioctl call.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Android kernel (IPA driver)
No auth needed
Prerequisites: Access to /dev/ipa device node · Kernel with vulnerable IPA driver
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/kernel/CVE-2016-3867

The repository contains a functional PoC for CVE-2016-3867, a race condition heap overflow vulnerability in the Android kernel's IPA driver. The PoC uses multiple threads to trigger the vulnerability by rapidly modifying the `num_hdrs` field in the `ipa_ioc_add_hdr` structure via ioctl calls.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Android kernel (IPA driver) on Nexus 6P (6.0.1)
Auth required
Prerequisites: net_admin permission · access to /dev/ipa device node
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
http://source.android.com/security/bulletin/2016-09-01.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036763
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92881

Scores

CVSS v3 7.8
EPSS 0.0048
EPSS Percentile 65.8%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (1)
google/android < 7.0
Published Sep 11, 2016
Tracked Since Feb 18, 2026