CVE-2016-10424

Vulnerability

Multiple memory corruption vulnerabilities exist in LibPNG versions 1.6.12 through 1.6.20 as used in Android on Qualcomm Snapdragon Automobile, Mobile, and Wear chipsets. The issues are resolved by upgrading LibPNG to version 1.6.21. Affected SoCs include MDM9206, MDM9650, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 820, SD 820A, SD 835, SD 845, and SD 850. Android security patch level 2018-04-05 or earlier is vulnerable [1].

Exploitation

An attacker could exploit these vulnerabilities by providing a specially crafted PNG image to an application or service that processes images using the vulnerable LibPNG library. No specific user interaction beyond opening the image is required. The exact attack vector depends on the specific CWE, but generally the attacker needs to convince a user or system to decode a malicious PNG file [1].

Impact

Successful exploitation could lead to information disclosure, denial of service, or arbitrary code execution in the context of the affected process. The severity is rated as High with a CVSS v3 base score of 9.8 (Critical). The attacker could gain access to sensitive data, cause a system crash, or modify memory [1].

Mitigation

The vulnerabilities are fixed in Android security patch level 2018-04-05 or later. Users should apply the security update as soon as it becomes available from their device manufacturer. No workarounds are documented for these specific LibPNG issues. Devices should be updated to a newer Android security patch level to mitigate these vulnerabilities [1].