CVE-2016-10423
Description
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile and Snapdragon Mobile SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, and SD 820A, when a Trusted Application has opened the SPI interface to a particular device, it is possible for another Trusted Application to read the data on this open interface due to non-exclusive access of the SPI bus.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Non-exclusive access to the SPI bus in Qualcomm Snapdragon devices allows a Trusted Application to read data from another TA's open SPI interface.
Vulnerability
In Android before the 2018-04-05 security patch level on Qualcomm Snapdragon Automobile and Snapdragon Mobile platforms, including SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, and SD 820A, the SPI bus is not properly isolated when shared between Trusted Applications. When a Trusted Application has opened the SPI interface to a particular device, it is possible for another Trusted Application to read data on this open interface due to non-exclusive access of the SPI bus [1].
Exploitation
An attacker requires the ability to execute a malicious Trusted Application on the target device. No additional authentication or network access is needed beyond that. The malicious TA can simply open the same SPI bus and read data intended for another TA that has already established a session with a peripheral device [1].
Impact
Successful exploitation allows a malicious Trusted Application to read sensitive data being transferred over the SPI bus by another Trusted Application. This could lead to information disclosure, potentially compromising cryptographic keys, sensor data, or other secrets processed in the secure world [1].
Mitigation
The issue was addressed in the Android security patch level of 2018-04-05 or later. Devices that have received this or a more recent patch are no longer vulnerable. Users should ensure their devices are updated to the latest security patch level available from their manufacturer [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: before 2018-04-05 or earlier
- Range: before 2018-04-05 or earlier
- Qualcomm, Inc./Snapdragon Automobile, Snapdragon Mobilev5Range: SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/bid/103671mitrevdb-entryx_refsource_BID
- source.android.com/security/bulletin/2018-04-01mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.