Published: 11/09/2016 Updated: 03/09/2017

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 935

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

LibUtils in Android 4.x prior to 4.4.4, 5.0.x prior to 5.0.2, 5.1.x prior to 5.1.1, 6.x prior to 2016-09-01, and 7.0 prior to 2016-09-01 mishandles conversions between Unicode character encodings with different encoding widths, which allows remote malicious users to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted file, aka internal bug 29250543.

Vulnerable Product	Search on Vulmon	Subscribe to Product
google android 7.0
google android 4.1.2
google android 4.2
google android 4.4.2
google android 4.4.3
google android 5.0
google android 4.0.2
google android 4.0.3
google android 4.3
google android 4.3.1
google android 6.0
google android 6.0.1
google android 4.0.4
google android 4.1
google android 4.4
google android 4.4.1
google android 5.1.0
google android 4.0
google android 4.0.1
google android 4.2.1
google android 4.2.2
google android 5.0.1
google android 5.1

Debian Bug report logs - #858177 CVE-2016-3921 CVE-2016-3885 CVE-2016-3861 Package: src:android-platform-system-core; Maintainer for src:android-platform-system-core is Android Tools Maintainers <android-tools-devel@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Sun, 19 Mar 2017 12:39 ...

Debian Bug report logs - #688280 android-tools: CVE-2012-5564: android-tools-adb creates a file with a static file name in /tmp Package: src:android-platform-system-core; Maintainer for src:android-platform-system-core is Android Tools Maintainers <android-tools-devel@listsaliothdebianorg>; Affects: android-tools-adb Report ...

Source: bugschromiumorg/p/project-zero/issues/detail?id=840 There's an inconsistency between the way that the two functions in libutils/Unicodecpp handle invalid surrogate pairs in UTF16, resulting in a mismatch between the size calculated by utf16_to_utf8_length and the number of bytes written by utf16_to_utf8 This results in a heap- ...

my extended take on Mark Brand's CVE 2016-3861 libutils bug

CVE-2016-3861 An extended version of Mark Brand's libutils exploit, from the Google Project Zero blog post: googleprojectzeroblogspotcom/2016/09/return-to-libstagefright-exploitinghtml Main differences: all of the mp4 files used for exploitation are generated in the browser dynamically comes with an 'extra_groom' option as certain AOSP builds in the 5

CWE-264 CWE-119 http://source.android.com/security/bulletin/2016-09-01.html https://android.googlesource.com/platform/frameworks/native/+/1f4b49e64adf4623eefda503bca61e253597b9bf https://android.googlesource.com/platform/system/core/+/ecf5fd58a8f50362ce9e8d4245a33d56f29f142b https://android.googlesource.com/platform/frameworks/av/+/3944c65637dfed14a5a895685edfa4bacaf9f76e https://android.googlesource.com/platform/frameworks/base/+/866dc26ad4a98cc835d075b627326e7d7e52ffa1 http://www.securityfocus.com/bid/92811 http://www.securitytracker.com/id/1036763 https://www.exploit-db.com/exploits/40354/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858177 https://nvd.nist.gov https://github.com/dropk1ck/CVE-2016-3861 https://www.exploit-db.com/exploits/40354/

CVE-2016-3861

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect