Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-3861Improper Restriction of Operations within the Bounds of a Memory Buffer in Android-platform-system-core

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-2649 documents8 sources
Severity
7.8HIGHNVD
EPSS
12.4%
top 6.07%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Debian Android-platform-system-coreGoogle Android
Timeline
PublishedSep 11
Latest updateMay 17

Description

LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 mishandles conversions between Unicode character encodings with different encoding widths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted file, aka internal bug 29250543.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

debiandebian/android-platform-system-core< android-platform-system-core 1:7.0.0+r1-4 (bullseye)
NVDgoogle/android23 versions+22

Patches

Patch: android.googlesource.comPatch: android.googlesource.comPatch: android.googlesource.com

🔴Vulnerability Details

2
GHSA
GHSA-42m2-m4h3-qr94: LibUtils in Android 42022-05-17
OSV
CVE-2016-3861: LibUtils in Android 42016-09-11

💥Exploits & PoCs

1
Exploit-DB
Google Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow2016-09-08

🔍Detection Rules

2
Suricata
ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set2016-09-12
Suricata
ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP2016-09-12

📋Vendor Advisories

2
Android
CVE-2016-3861: Android Security Bulletin 2016-09-01 CVE: CVE-2016-3861 Severity: CRITICAL Affected AOSP versions: 42016-09-01
Debian
CVE-2016-3861: android-platform-system-core - LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6....2016