High severity7.0NVD Advisory· Published Aug 16, 2017· Updated May 13, 2026

CVE-2016-5859

Description

In a sound driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, if a function is called with a very large length, an integer overflow could occur followed by a buffer overflow.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in Qualcomm sound driver leads to buffer overflow; permits local privilege escalation from kernel context.

Vulnerability

An integer overflow vulnerability exists in a sound driver function used across all Qualcomm products that run Android for MSM, Firefox OS for MSM, or QRD Android. When the function is called with a very large length value, the integer wrap can cause a subsequent heap buffer overflow. Affected versions include all Android for MSM, Firefox OS for MSM, and QRD Android builds prior to the May 2017 security patch level.

Exploitation

An attacker needs local access to the affected device and the ability to execute a program that calls the vulnerable sound driver function with a crafted large length argument. No user interaction beyond running the malicious program is required, and the attack does not depend on a race condition or network position.

Impact

Successful exploitation allows an attacker to gain elevated privileges within the kernel, leading to a complete compromise of confidentiality, integrity, and availability (CIA impact). The attack is rated High severity with a CVSS v3 base score of 7.0.

Mitigation

Google released a fix as part of the May 1, 2017 Android Security Bulletin [1]. Users should apply the Android security update provided by their device vendor. No workaround other than applying the patch is documented.

References

Android Security Bulletin—May 2017

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Google/Android
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Qualcomm/MSMllm-fuzzy
Qualcomm, Inc./All Qualcomm productsv5
Range: Android for MSM, Firefox OS for MSM, QRD Android

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

source.android.com/security/bulletin/2017-05-01nvdPatchVendor Advisory
source.codeaurora.org/quic/la//kernel/msm-3.18/commit/nvdIssue TrackingPatchThird Party Advisory
www.securityfocus.com/bid/98175nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000