CVE-2015-6639
Description
A privilege escalation vulnerability in the Widevine QSEE TrustZone application on Android 5.x and 6.0 allows local attackers to gain elevated privileges via a crafted app using QSEECOM access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A privilege escalation vulnerability in the Widevine QSEE TrustZone application on Android 5.x and 6.0 allows local attackers to gain elevated privileges via a crafted app using QSEECOM access.
Vulnerability
The vulnerability resides in the Widevine QSEE TrustZone application on Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01. It allows attackers to gain privileges via a crafted application that leverages QSEECOM access (internal bug 24446875) [1]. The bug is in the Qualcomm Secure Execution Environment (QSEE) component used for DRM [2][3].
Exploitation
An attacker must install a malicious application on the device. The app uses QSEECOM access to interact with the Widevine TrustZone application, exploiting the vulnerability to escalate privileges [1]. Public exploit code is available [3].
Impact
Successful exploitation grants the attacker elevated privileges, potentially leading to full compromise of the TrustZone and the Android system [1]. This can result in arbitrary code execution in the secure world [3].
Mitigation
Google released fixes in Android 5.1.1 LMY49F and Android 6.0 with Security Patch Level of January 1, 2016 or later [1]. Users should update to these builds. No workaround is documented. The vulnerability is not listed on CISA KEV.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
- (no CPE)range: 5.x before 5.1.1 LMY49F, 6.0 before 2016-01-01
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A vulnerability in the Widevine QSEE TrustZone application that can be exploited via crafted QSEECOM commands from a malicious application."
Attack vector
An attacker with high privileges in the Normal World (Android userspace) can exploit the vulnerability by sending crafted QSEECOM commands to the Widevine Trusted Application running in the Qualcomm Secure Execution Environment (QSEE) [ref_id=1]. The attack requires a crafted application that leverages QSEECOM access to communicate with the TrustZone component. Successful exploitation allows the attacker to execute arbitrary code in the Secure World, compromising the confidentiality and integrity of protected content and system files [ref_id=1].
Affected code
The advisory does not specify the exact function or file path for CVE-2015-6639. It clarifies that CVE-2015-6639 is a different vulnerability from the Widevine PRDiagVerifyProvisioning buffer overflow (CVE-2022-48335) and was reported by Google, but no further code-level details are provided in the bundle [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory notes that CVE-2015-6639 was reported by Google and is distinct from the later CVE-2022-48335, but does not describe the specific remediation applied [ref_id=1]. The fix would have been delivered as part of the Android 2016-01-01 security update for affected versions 5.x before 5.1.1 LMY49F and 6.0 before that date.
Preconditions
- authAttacker must have high privileges in the Normal World (Android userspace) to send QSEECOM commands
- inputAttacker must be able to install and run a crafted application on the device
- configDevice must run an affected Android version (5.x before 5.1.1 LMY49F or 6.0 before 2016-01-01)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- source.android.com/security/bulletin/2016-01-01.htmlnvdVendor Advisory
- packetstormsecurity.com/files/172637/Widevine-Trustlet-5.x-6.x-7.x-PRDiagVerifyProvisioning-Buffer-Overflow.htmlnvd
- seclists.org/fulldisclosure/2023/May/26nvd
- www.securitytracker.com/id/1034592nvd
- www.exploit-db.com/exploits/39757/nvd
News mentions
0No linked articles in our index yet.