Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches 40 Vulnerabilities in Android

Google’s May 2016 security update for the Android operating system patches a total of 40 vulnerabilities, including many rated critical and high severity.

Google’s May 2016 security update for the Android operating system patches a total of 40 vulnerabilities, including many rated critical and high severity.

The list of critical issues includes another round of remote code execution flaws in mediaserver, and privilege escalation vulnerabilities in the Android debugger, the Qualcomm TrustZone component, the Qualcomm Wi-Fi driver, the kernel, and the NVIDIA video driver.

The mediaserver flaws allow an attacker to remotely execute code within the context of the mediaserver service. The privilege escalation weaknesses allow a local malicious application to execute arbitrary code in the context of the Android debugger or the kernel.

The critical vulnerabilities have been assigned the following CVE identifiers: CVE-2016-2428, CVE-2016-2429, CVE-2016-2430, CVE-2016-2431, CVE-2016-2432, CVE-2015-0569, CVE-2015-0570, CVE-2016-2434, CVE-2016-2435, CVE-2016-2436, CVE-2016-2437 and CVE-2015-1805.

The high severity issues patched by Google with this month’s Android updates include remote code execution vulnerabilities in the kernel and Bluetooth, and privilege elevation flaws in various Qualcomm components, Wi-Fi, mediaserver, the MediaTek Wi-Fi driver, and Binder. An information disclosure vulnerability in the Qualcomm tethering controller and a remote denial-of-service (DoS) vulnerability in the Qualcomm hardware codec have also been classified as having high severity.

The CVE identifiers assigned to these flaws are CVE-2016-2438, CVE-2016-2060, CVE-2016-2439, CVE-2016-2440, CVE-2016-2441, CVE-2016-2442, CVE-2016-2443, CVE-2015-0571, CVE-2016-2444, CVE-2016-2445, CVE-2016-2446, CVE-2016-2447, CVE-2016-2448, CVE-2016-2449, CVE-2016-2450, CVE-2016-2451, CVE-2016-2452, CVE-2016-2453 and CVE-2016-2454.

The Android update also resolves several moderate severity issues, including privilege escalation and information disclosure vulnerabilities. Only one of the 40 flaws patched this month has been rated as low severity – a DoS bug affecting the kernel.

Advertisement. Scroll to continue reading.

The vulnerabilities patched by Google with the May 2016 update were reported between October 15, 2015, and March 23 by independent researchers and experts affiliated with Google, e2e-assure, C0re Team, FireEye, Qihoo 360, Search-Lab, Tencent, Trend Micro, Alibaba and Baidu.

A security update that includes patches for most of the flaws has been pushed out to Nexus devices. Google has notified its partners about the issues on April 4 or earlier, and it will publish the source code patches on the Android Open Source Project (AOSP) repository sometime over the next couple of days.

Google also announced that it has updated severity ratings in an effort to better align them with real world impact to users.

In addition to regular Android security updates, Google sometimes releases emergency patches to address critical vulnerabilities that require immediate attention. In March, the search giant issued an update to fix a local privilege escalation flaw that had been exploited by a rooting application.

Related: Android Ransomware Dropped via Towelroot, Hacking Team Exploits

Related: Google Patches Critical Vulnerabilities in Android

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.