Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches More Critical Vulnerabilities in Android Mediaserver

Google’s latest set of Nexus patches are rolling out now to resolve multiple Critical vulnerabilities in Android, including a series of remote code execution (RCE) flaws in the mediaserver component.

Google’s latest set of Nexus patches are rolling out now to resolve multiple Critical vulnerabilities in Android, including a series of remote code execution (RCE) flaws in the mediaserver component.

Since last July, when mobile security firm Zimperium revealed a series of critical RCE flaws in the Android Stagefright media playback engine, Google has been constantly struggling to patch similar issues. In October, as part of the over-the-air monthly updates rolling out to Nexus devices, the Internet giant patched a second Stagefright flaw.

Google continued to resolve vulnerabilities in Android’s mediaserver in subsequent monthly updates for the popular mobile operating system. An RCE issue was resolved in January, amid a total of 12 vulnerabilities in Android, and two more RCE flaws were patched last month, when Google fixed 16 security bugs in the platform.

The April 2016 Nexus Security Bulletin details 29 security patches, including one for an elevation of privilege (EoP) vulnerability that was fixed with an emergency security patch on March 18. The new round of security updates resolve a total of 39 vulnerabilities in Android, 15 of which are rated Critical, 16 High, and 8 Moderate.

The most important of these appear to be the seven RCE issues in mediaserver (CVE-2016-0835 to CVE-2016-0841), which impact Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 releases. The flaws could be exploited during media file and data processing of a specially crafted file, and attacks can be performed via MMS, browser, and other applications.

Google’s April security bulletin also patches an RCE issue in Media Codec (CVE-2016-0834) and another one in libstagefright (CVE-2016-0842), both affecting Android 6.0 and Android 6.0.1 and both related to the media playback engine. In July, Zimperiu revealed that libstagefright include a Critical flow that affected over 950 million devices, yet Google didn’t patch it properly in the first place.

Other newly resolved Critical vulnerabilities also include two issues (CVE-2014-6060 and CVE-2016-1503) that affect the Dynamic Host Configuration Protocol (DHCP) service and which could result in RCE in the context of the DHCP client. The issues impact Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1.

The new set of security updates also patched three elevation of privilege flaws, one in Qualcomm Performance Module (CVE-2016-0843), affecting Android 4.4.4 to 6.0.1 releases, one in Qualcomm RF component (CVE-2016-0844), affecting Android 6.0 and 6.0.1, and another one in Kernel (CVE-2014-9322), affecting Android 6.0 and 6.0.1.

Most of the High severity vulnerabilities fixed in the April security bulletin are EoP bugs, affecting IMemory Native Interface, Telecom Component, Download Manager, Recovery Procedure, Bluetooth, Texas Instruments Haptic Driver, a Video Kernel Driver, Qualcomm Power Management Component, System_server, and Mediaserver. Google also resolved a denial of service issue in Minikin, and five information disclosure vulnerabilities, one in Exchange ActiveSync and four in Mediaserver.

According to Google, Nexus devices with Security Patch Levels of April 2, 2016 or later installed on them are protected from these flaws. Owners of Android devices coming from other manufacturers will have to wait a bit longer for these security updates to arrive, except for BlackBerry PRIV owners, who are already receiving them.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet