CVE-2015-3824

The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly restrict size addition, which allows remote attackers to execute arbitrary code or cause a denial of service integer overflow and memory corruption via a crafted MPEG-4...

Samsung WifiHs20UtilityService

A path traversal vulnerability was found in the WifiHs20UtilityService. This service is running on a Samsung S6 Edge device, and may be present on other Samsung device models. WifiHs20UtilityService reads any files placed in /sdcard/Download/cred.zip, and unzips this file into /data/bundle...

Stagefright

Drake said that the vulnerabilities can be exploited by sending a single multimedia text message to an unpatched Android smartphone. While the exploit is deadly, in some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have...

pipe inatomic

The 1 piperead and 2 pipewrite implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed copytouserinatomic and copyfromuserinatomic calls, which allows local users to cause a denial of service system crash or possibly gain privileges via a...

Use-After-Free camera driver exploit

A use-after-free vulnerability in the camera driver of Qualcomm MSM 7x30 SoCs...

One class to rule them all

This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. There is a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged systemserver process, and then...

Mate7 TrustZone Exploit

The tzdriver and TEEOS modules of the Huawei Mate 7 have vulnerabilities which may allow malicious apps to perform denial of service attacks, or gain privileges, by gaining access to the TEE...

PingPongRoot

Wen Xu and wushi of KeenTeam discovered that users allowed to create ping sockets can use them to crash the system and, on 32-bit architectures, for privilege escalation. However, by default, no users on a Debian system have access to ping sockets...

Mtkfb

Memory write vulnerabilities allow a local user to gain privileges...

dhcpd buffer overrun

The specific flaw exists within the parsing of the DHCP options in a DHCP ACK packet. The vulnerability is triggered when the LENGTH of an option, when added to the current read position, exceeds the actual length of the DHCP options buffer. An attacker can leverage this vulnerability to execute...

libmsm memory corruption

A memory read exploit that uses a vulnerability in the camera driver...

ObjectInputStream deserializable

In Android 5.0, java.io.ObjectInputStream did not check whether the Object that is being deserialized is actually serializable. That issue was fixed in Android 5.0. This means that when ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-privat...

Mediaserver code execution

Two vulnerabilities which allow arbitrary code execution in the mediaserver process...

QSEECOM driver

A Linux kernel privilege escalation vulnerability allows arbitrary code to be executed within the kernel...

Full TrustZone

A vulnerability in a modified kernel means that a series of exploits can be used to obtain access to the Trusted Execution Environment...

StumpRoot

Vulnerability affecting LG devices released between 2012 and 2014...

Fake ID

The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions. The vulnerability resides in the...

keystore buffer

Stack-based buffer overflow in the encodekey function in /system/bin/keystore in the KeyStore service in Android 4.3 allows attackers to execute arbitrary code, and consequently obtain sensitive key information or bypass intended restrictions on cryptographic operations, via a long key name...

Z2 root exploit

A system vulnerability enables users to obtain root access to some Sony devices via the shell...

TowelRoot

The futexrequeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEXREQUEUE command that facilitates unsafe waiter modification...

vold asec

Insufficient paramter checking for asec container creation allows an asec container to be mounted over part of the filesystem using directory traversal if the app has the ASEC permissions such as ASECCREATE There is an adb tethered root explot for motorola phones...

pty race

The nttywrite function in drivers/tty/ntty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service memory corruption and system crash or gain privileges by triggering a race condition...

WeakSauce

WeakSauce is an exploit for some HTC devices. It was compatible with the HTC One m7 & m7 on Verizon...

Qualcomm chown init scripts

Insecure owner/permission changes in init shell scripts CVE-2013-6124: During the device start-up phase, several init shell scripts are executed with root privileges to configure various aspects of the system. During this process, standard toolchain commands such as chown or chmod are used to,...

Qualcomm out of bounds camera

Out of bounds array access in camera driver CVE-2013-6123: The camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msmioctlserver, msmserversendctrl, and msmctrlcmddone functions use a user-supplied value as an ind...

TwerkMyMoto

Motorola Razr I x86 4.1.2 root exploit, silly permissions bug. symlink /data/logs/core to ueventhelper...

Qualcomm Goodix driver procfs

Multiple memory corruption issues and race condition in Goodix gt915 touchscreen driver procfs handler CVE-2013-4740 CVE-2013-6122 QCIR-2013-00009-1: Multiple issues have been identified in the Goodix gt915 touchscreen driver for Android. The issues were found in the write handler of the procfs...

APK unchecked name

APK signature verification does not check name lengths correctly, creating a difference between how the zip files are verified compared with how they are extracted which allows files in an existing APK to be replaced with new files. Exploited by RockMyMoto...

Qualcomm stack buffer overflow camera

Stack-based buffer overflow and memory disclosure in camera driver QCIR-2013-00008-1: A stack-based buffer overflow and a kernel memory disclosure vulnerability have been discovered in the system call handlers of the camera driver...

Defy republic init_runit

A certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless uses init to create a /dev/socket/initrunit socket that listens for shell commands, which allows local users to gain privileges by interacting with a LocalSocket object. Stack-based buffer overflow in the...

RageAgainstTheCage zygote

Also known as Zimperlich...

Qualcomm missing checks put_user get_user

Missing access checks in putuser/getuser kernel API CVE-2013-6282 QCIR-2013-00010-1: The getuser and putuser API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This functionality was originally implemented and controlled by the domain...

RageAgainstTheCage adb

adb fails to check setuid return code and this can be caused to fail by the shell user already having RLIMITNPROC processes...

levitator

Improper bounds checking in the PowerVR driver as used in versions of Android prior to 2.3.6 when copying user data to kernel memory allows a malicious local application to write to the same area of memory referenced in CVE-2011-1350, potentially allowing for arbitrary code execution and privileg...

Qualcomm Integer overflow camera

Integer overflow and signedness issue in camera JPEG engines CVE-2013-4736 QCIR-2013-00005-1: The JPEG engines that are part of the camera driver provide an ioctl system call interface to user space clients for communication. When processing hardware commands ioctl calls, the drivers are...

APK unsigned shorts

File offsets in zips are supposed to be unsigned but were interpreted as signed allowing different content to be verified from the content executed...

APK duplicate file

Android does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file APK that is modified in a way that does not violate the cryptographic signature. Android security bug 8219321...

LG Sprite backup

Race condition in Sprite Software's backup software, installed by OEM on LG Android devices...

Qualcomm acdb audio buffer overflow

The acdb audio driver provides an ioctl system call interface to user space clients for communication. When processing arguments passed to the ioctl handler, a user space supplied size is used to copy as many bytes from user space to a local stack buffer without proper bounds checking. An...

Qualcomm Gandalf camera driver

The camera driver provides several interfaces to user space clients. The user space clients communicate to the kernel via syscalls such as ioctl or mmap. The camera driver provides an uncontrolled mmap interface that allows an application with access to the device file to map physical memory...

Motochopper

Integer overflow in the fbmmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9 QCIR-2013-00004-1...

Samsung GPU DMA

...

Diaggetroot

A vulnerability in the Qualcomm Innovation Center QuIC Diagnostics aka DIAG kernel-mode driver allows arbitrary code execution or denial of service via a call to diagcharioctl...

JavaScript to Java

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application...

camera-isp - camera-sysr - Vcodec

An exploit on MTK-based devices using the Framaroot app. Actually consists of three exploits: Boromir camera-isp, Faramir camera-sysr and Barahir Vcodec...

exynosroot

A driver/kernel vulnerability allows the device /dev/exynos-mem access to all physical memory, meaning that any library with access to it can obtain root access...

Qualcomm Integer oveflow diagnostics

QCIR-2012-00001-1: Multiple security vulnerabilities have been discovered in the handling of the diagcharioctl and kgslioctl system call parameters for the diagnostics DIAG and KGSL graphics kernel drivers for Android...

LG Lit

Bug in LG backlight driver allows gaining root from local user...

mempodroid - mempodripper - mem exploit

The memwrite function in the Linux kernel does not properly check permissions, allowing a user to gain privileges...

TPSparkyRoot

A bug in chmod, mkdir and chown mean that they fail when the last element of their target path is a symlink...