CVE-2016-2496

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (2)

NVD, NVD

CWE (1)

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

CAPEC (-)

Risk

CVSS Score

9.8 Critical

SSVC

KEV

EPSS

0.2%

Affected Products (-)

Vendors (1)

google

Products (1)

android

Versions (2)

6.0, 6.0.1

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (4)

General (-)

Exploits & POcs (-)

Patches (3)

googlesource

Advisories (1)

android

Summary

Descriptions

The Framework UI permission-dialog implementation in Android 6.x before 2016-06-01 allows attackers to conduct tapjacking attacks and access arbitrary private-storage files by creating a partially overlapping window, aka internal bug 26677796.

La implementación permission-dialog Framework UI en Android 6.x en versiones anteriores a 2016-06-01 permite a atacantes llevar a cabo ataques tapjacking y acceder a archivos en almacenamiento privado arbitrarios creando una ventana superpuesta parcialmente, también conocido como error interno 26677796.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-02-18 CVE Reserved
2016-06-13 CVE Published
2024-01-27 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://android.googlesource.com/platform/frameworks/base/+/613f63b938145bb86cd64fe0752eaf5e99b5f628	2024-01-26
https://android.googlesource.com/platform/frameworks/native/+/03a53d1c7765eeb3af0bc34c3dff02ada1953fbf	2024-01-26
https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/2068c7997265011ddc5e4dfa3418407881f7f81e	2024-01-26

URL	Date	SRC
http://source.android.com/security/bulletin/2016-06-01.html	2024-01-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				6.0 Search vendor "Google" for product "Android" and version "6.0"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				6.0.1 Search vendor "Google" for product "Android" and version "6.0.1"		-		Affected

CVE-2016-2496

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (4)

Affected Vendors, Products, and Versions