CVE-2016-10335

Vulnerability

In all Android releases from the Code Aurora Forum (CAF) using the Linux kernel, the libtomcrypt cryptographic library was updated to address an unspecified vulnerability. The flaw resides in the library's cryptographic implementation and is reachable when an affected Android device processes certain operations using libtomcrypt. All CAF-based Android releases are affected [1].

Exploitation

The attacker must have local access to the device and must be able to trigger processing of data by the vulnerable libtomcrypt routines. No authentication is required beyond local access, but user interaction may be needed to induce the library to process attacker-controlled data [1].

Impact

Successful exploitation could lead to local information disclosure. The attacker may be able to read sensitive data that was processed by libtomcrypt, potentially bypassing protections offered by the cryptographic library. The compromise is limited to information disclosure and does not grant code execution or privilege escalation [1].

Mitigation

The fix was released as part of the Android Security Bulletin for June 2017 [1]. Users should apply the security update provided by their device manufacturer. No workaround is available other than installing the patch.