Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2016-5349

Date: April 6, 2017

The high level operating systems (HLOS) was not providing sufficient memory address information to ensure that secure applications inside Qualcomm Secure Execution Environment (QSEE) only write to legitimate memory ranges related to the QSEE secure application's HLOS client. When secure applications inside Qualcomm Secure Execution Environment (QSEE) receive memory addresses from a high level operating system (HLOS) such as Linux Android, those address have previously been verified as belonging to HLOS memory space rather than QSEE memory space, but they were not verified to be from HLOS user space rather than kernel space. This lack of verification could lead to privilege escalation within the HLOS.

Language: C

Severity Score

Related Resources (7)

https://source.android.com/security/bulletin/2017-04-01
https://www.qualcomm.com/company/product-security/security-advisories
http://www.securitytracker.com/id/1038201
http://www.securityfocus.com/bid/97364
https://nvd.nist.gov/vuln/detail/CVE-2016-5349
https://www.codeaurora.org/insufficient-memory-address-information-prevent-arbitrary-memory-access-qsee-secure-applications-cve
https://www.mend.io/vulnerability-database/CVE-2016-5349

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us