cbcvebase.
CVE-2016-0801
published 2016-02-07

CVE-2016-0801: The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.37%
98.2th percentile
The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.

Affected

15 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os<= 9.2.1
applemac_os_x<= 10.11.3
appleos_x_el_capitan_v10.11.4_and_security_update_2016-002
appletvos<= 9.1
appletvos
applewatchos<= 2.1
applewatchos
debianfirmware-nonfree< firmware-nonfree 20180518-1 (bookworm)firmware-nonfree 20180518-1 (bookworm)
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

otherWPS Probe Response packet with device_name field longer than 100 characters
other802.11 frame subtype: Probe Response (0x05)
  • Monitor Wi-Fi traffic for 802.11 Probe Response frames (subtype 0x05) containing oversized WPS device_name fields (>100 characters) in the Vendor Specific IE (OUI: Microsoft / WPS OUI type 0x04). Such frames are the exploit delivery mechanism.
  • The exploit requires the attacking interface to be in monitor mode (IW_MODE_MONITOR) and uses raw AF_PACKET/SOCK_RAW sockets with EtherType 0x0300 to inject crafted 802.11 frames.
  • The exploit targets Android devices running Broadcom Wi-Fi drivers on versions 4.4.4, 5.0, 5.1.1, 6.0, and 6.0.1 — flag unpatched devices in these version ranges as high-risk.
  • ·The exploit broadcasts packets to the broadcast MAC (ff:ff:ff:ff:ff:ff), meaning any vulnerable Broadcom Wi-Fi device within radio range — not just a targeted MAC — may be affected. The DESTINATION_MAC in the PoC is configurable.
  • ·The attacking interface must be placed in monitor mode for the exploit to work; standard managed-mode interfaces cannot inject the raw 802.11 Probe Response frames required.
  • ·The vulnerability is in the Broadcom Wi-Fi kernel driver and is triggered passively — the victim device only needs to be scanning for Wi-Fi networks (receiving Probe Responses), requiring no user interaction.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.