cbcvebase.
CVE-2016-6754
published 2016-11-25

CVE-2016-6754: A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to…

PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.59%
90.5th percentile
A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process. Android ID: A-31217937.

Affected

11 ranges
VendorProductVersion rangeFixed in
googleandroid<= 6.0.1
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
google_incandroid
google_incandroid
google_incandroid
google_incandroid

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation targets WebView in Android 5.0.x, 5.1.x, and 6.x; monitor for suspicious WebView-initiated remote code execution in unprivileged processes on unpatched Android devices
  • Exploit is delivered via a malicious web page; the attack vector is drive-by browsing, so network-level detection should focus on suspicious JavaScript leveraging DataView/ArrayBuffer manipulation patterns consistent with heap exploitation (e.g., use of DataView.setUint32 to overwrite controlled memory addresses)
  • The exploit is publicly known as 'BadKernel' RCE; threat hunting should search for this exploit name in proxy/IDS logs and endpoint telemetry
  • Affected AOSP versions are 5.0.2, 5.1.1, 6.0, and 6.0.1; asset inventory checks should flag devices running these versions as vulnerable
  • ·The exploit targets an unprivileged process (WebView renderer); post-exploitation activity may be sandboxed and require a privilege escalation chain for full device compromise

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.