Oneplus
Products
3- 11 CVEs
- 9 CVEs
- 1 CVE
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-11105 | Cri | 0.64 | 9.8 | 0.02 | Aug 3, 2017 | The OnePlus 2 Primary Bootloader (PBL) does not validate the SBL1 partition before executing it, although it contains a certificate. This allows attackers with write access to that partition to disable signature validation. | ||
| CVE-2017-5626 | Cri | 0.64 | 9.8 | 0.03 | Mar 12, 2017 | OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows… | ||
| CVE-2017-5624 | Cri | 0.64 | 9.8 | 0.03 | Mar 12, 2017 | An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. Having dm-verity disabled, the kernel will not… | ||
| CVE-2025-10184 | Hig | 0.53 | — | 0.04 | Sep 23, 2025 | The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to… | ||
| CVE-2017-5554 | Hig | 0.53 | 8.1 | 0.03 | Jan 23, 2017 | An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS before 4.0.2. The attacker can reboot the device into the fastboot mode, which could be done without any authentication. A physical attacker can press the "Volume Up" button during device boot, where an attacker with… | ||
| CVE-2016-10370 | Hig | 0.49 | 7.5 | 0.01 | May 11, 2017 | An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and… | ||
| CVE-2017-5947 | Med | 0.44 | 6.8 | 0.00 | Mar 29, 2018 | An issue was discovered in OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS 5.0 and earlier. The attacker can reboot the device into the Qualcomm Emergency Download (EDL) mode through ADB or by using Volume-Up when connected to USB, which in turn could allow for downgrading… | ||
| CVE-2017-5623 | Med | 0.43 | 6.6 | 0.00 | Mar 19, 2017 | An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in contradiction to the threat model of Android where the bootloader MUST NOT… | ||
| CVE-2017-8851 | Med | 0.38 | 5.9 | 0.00 | May 11, 2017 | An issue was discovered on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact that both products share the same 'ro.build.product' system property, attackers… | ||
| CVE-2017-8850 | Med | 0.38 | 5.9 | 0.00 | May 11, 2017 | An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due to a lenient updater-script in the OnePlus OTA images, and the fact that both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders,… | ||
| CVE-2017-5948 | Med | 0.38 | 5.9 | 0.01 | May 11, 2017 | An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that the current version is lower than or equal to the given image's. Downgrades… | ||
| CVE-2017-5622 | Med | 0.38 | 5.9 | 0.00 | Mar 26, 2017 | With OxygenOS before 4.0.3, when a charger is connected to a powered-off OnePlus 3 or 3T device, the platform starts with adbd enabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the device, in order to further… | ||
| CVE-2017-5625 | Med | 0.30 | 4.6 | 0.00 | Apr 25, 2017 | In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except 'keystore') by issuing the 'fastboot oem dump ' fastboot command. | ||
| CVE-2020-13626 | 0.00 | — | 0.00 | Oct 9, 2020 | OnePlus App Locker through 2020-10-06 allows physically proximate attackers to use Google Assistant to bypass an authorization check in order to send an SMS message when the SMS application is locked. | |||
| CVE-2020-7958 | 0.00 | — | 0.01 | Apr 14, 2020 | An issue was discovered on OnePlus 7 Pro devices before 10.0.3.GM21BA. The firmware was found to contain functionality that allows a privileged user (root) in the Rich Execution Environment (REE) to obtain bitmap images from the fingerprint sensor because of Leftover Debug Code.… |
- risk 0.64cvss 9.8epss 0.02
The OnePlus 2 Primary Bootloader (PBL) does not validate the SBL1 partition before executing it, although it contains a certificate. This allows attackers with write access to that partition to disable signature validation.
- risk 0.64cvss 9.8epss 0.03
OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows…
- risk 0.64cvss 9.8epss 0.03
An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. Having dm-verity disabled, the kernel will not…
- risk 0.53cvss —epss 0.04
The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to…
- risk 0.53cvss 8.1epss 0.03
An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS before 4.0.2. The attacker can reboot the device into the fastboot mode, which could be done without any authentication. A physical attacker can press the "Volume Up" button during device boot, where an attacker with…
- risk 0.49cvss 7.5epss 0.01
An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and…
- risk 0.44cvss 6.8epss 0.00
An issue was discovered in OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS 5.0 and earlier. The attacker can reboot the device into the Qualcomm Emergency Download (EDL) mode through ADB or by using Volume-Up when connected to USB, which in turn could allow for downgrading…
- risk 0.43cvss 6.6epss 0.00
An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in contradiction to the threat model of Android where the bootloader MUST NOT…
- risk 0.38cvss 5.9epss 0.00
An issue was discovered on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact that both products share the same 'ro.build.product' system property, attackers…
- risk 0.38cvss 5.9epss 0.00
An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due to a lenient updater-script in the OnePlus OTA images, and the fact that both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders,…
- risk 0.38cvss 5.9epss 0.01
An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that the current version is lower than or equal to the given image's. Downgrades…
- risk 0.38cvss 5.9epss 0.00
With OxygenOS before 4.0.3, when a charger is connected to a powered-off OnePlus 3 or 3T device, the platform starts with adbd enabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the device, in order to further…
- risk 0.30cvss 4.6epss 0.00
In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except 'keystore') by issuing the 'fastboot oem dump ' fastboot command.
- CVE-2020-13626Oct 9, 2020risk 0.00cvss —epss 0.00
OnePlus App Locker through 2020-10-06 allows physically proximate attackers to use Google Assistant to bypass an authorization check in order to send an SMS message when the SMS application is locked.
- CVE-2020-7958Apr 14, 2020risk 0.00cvss —epss 0.01
An issue was discovered on OnePlus 7 Pro devices before 10.0.3.GM21BA. The firmware was found to contain functionality that allows a privileged user (root) in the Rich Execution Environment (REE) to obtain bitmap images from the fingerprint sensor because of Leftover Debug Code.…