VYPR
← All advisories
High severity7.8NVD Advisory· Published Jan 6, 2016· Updated May 6, 2026

CVE-2015-6647

CVE-2015-6647

Description

A crafted application can leverage QSEECOM access to exploit the Widevine QSEE TrustZone application, leading to privilege escalation on Android 5.x and 6.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted application can leverage QSEECOM access to exploit the Widevine QSEE TrustZone application, leading to privilege escalation on Android 5.x and 6.0.

Vulnerability

The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LMY49F and Android 6.0 before the 2016-01-01 security patch level allows a crafted application with QSEECOM access to trigger a privilege escalation [1]. The vulnerability resides in the Qualcomm Secure Execution Environment (QSEE) TrustZone component responsible for Widevine DRM operations.

Exploitation

An attacker must first install a malicious application on the device that can interact with the QSEECOM driver. By leveraging QSEECOM access, the application can send crafted commands to the Widevine TrustZone application, exploiting the vulnerability to gain elevated privileges [1]. No additional user interaction beyond installation is required.

Impact

Successful exploitation results in privilege escalation within the TrustZone environment, potentially allowing the attacker to execute arbitrary code with higher privileges than the application normally possesses [1]. This could lead to compromise of sensitive data protected by the TrustZone, such as DRM keys or other secure assets.

Mitigation

Google released fixes in the January 2016 Android Security Bulletin. Devices running Android 5.1.1 build LMY49F or later, or Android 6.0 with a security patch level of January 1, 2016 or later, are patched [1]. Partners were notified on December 7, 2015. Users should apply the OTA update or flash the updated firmware. No workarounds are available for unpatched devices.

References
  1. Nexus Security Bulletin—January 2016

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Google/Android7 versions
    cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
    • (no CPE)range: 5.x <5.1.1 LMY49F, 6.0 <2016-01-01

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation in the Widevine TrustZone application's PRDiagClearProvisioning() command handler allows crafted QSEECOM commands to compromise the Secure World."

Attack vector

An attacker with high privileges in the Normal World (Android userspace) can exploit the bug by sending crafted QSEECOM commands to the Widevine Trusted Application running in the Secure World (QSEE TrustZone) [ref_id=1]. The attacker must be able to execute a crafted application on the device that leverages QSEECOM access. The bug resides in the PRDiagClearProvisioning() command handler, which does not properly validate input, allowing the attacker to compromise the Trusted Application and execute arbitrary code in the Secure World [ref_id=1].

Affected code

The vulnerability is in the Widevine QSEE TrustZone application on Android 5.x and 6.0. The advisory references the PRDiagClearProvisioning() command as the location of the bug, noting it has been featured in other blog entries related to CVE-2015-6647 [ref_id=1]. No specific source file or function signature is provided beyond the command name.

What the fix does

The advisory does not include a patch or specific remediation details. It states that CVE-2015-6647 corresponds with a different vulnerability reported by Google, and that the bug is present in Widevine's PRDiagClearProvisioning() command [ref_id=1]. No fix description is provided in the available reference.

Preconditions

  • inputAttacker must be able to execute a crafted application on the device
  • authAttacker must have high privileges in Normal World (Android userspace)
  • inputAttacker must be able to send QSEECOM commands to the Widevine Trusted Application

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.