CVE-2016-6754

HIGH

Android < 6.0.1 - Remote Code Execution in Webview

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-6754. PoCs published by Guang Gong, secmob, The-Real-TechLord.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in V8 (CVE-2016-6754) to achieve arbitrary memory read/write, leading to remote code execution. It manipulates JavaScript Promises and ArrayBuffers to bypass security checks and gain control over memory layout.

Description

A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process. Android ID: A-31217937.

Exploits (3)

exploitdb WORKING POC
by Guang Gong · htmlremoteandroid
https://www.exploit-db.com/exploits/40846

This exploit leverages a type confusion vulnerability in V8 (CVE-2016-6754) to achieve arbitrary memory read/write, leading to remote code execution. It manipulates JavaScript Promises and ArrayBuffers to bypass security checks and gain control over memory layout.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Chromium/Chrome V8 Engine (versions prior to fix)
No auth needed
Prerequisites: Target must visit a malicious webpage · V8 engine with vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 152 stars
by secmob · poc
https://github.com/secmob/BadKernel

The repository contains only a README with minimal information about CVE-2016-6754 (BadKernel) and a reference to a Syscan2016 presentation. No exploit code or technical details are provided.

Classification
Stub 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Android Kernel (specific version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab STUB
by The-Real-TechLord · poc
https://gitlab.com/The-Real-TechLord/BadKernel

The repository contains only a README with minimal information about CVE-2016-6754 (BadKernel) and a reference to a presentation. No exploit code or technical details are provided.

Classification
Stub 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: V8 JavaScript engine (specific version unclear)
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40846/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94204

Scores

CVSS v3 8.8
EPSS 0.2845
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-74
Status published
Products (10)
google/android 5.0
google/android 5.0.1
google/android 5.1
google/android 5.1.0
google/android 6.0
google/android < 6.0.1
Google Inc./Android Android-5.0.2
Google Inc./Android Android-5.1.1
Google Inc./Android Android-6.0
Google Inc./Android Android-6.0.1
Published Nov 25, 2016
Tracked Since Feb 18, 2026