CVE-2016-6910 — MEDIUM (5.5)

Vulnerability Description

The non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even after the device has been upgraded to an Android 5.1.1 or 6.0.1 build. The vulnerable system app gives a non-existent app the ability to read the notifications from the device, which a third-party app can utilize if it uses a package name of com.samsung.android.app.portalservicewidget. This vulnerability allows an unprivileged third-party app to obtain the text of the user's notifications, which tend to contain personal data.

CVSS Score

5.5

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Google	Android	5.0.2

Related Weaknesses (CWE)

CWE-200

References

http://www.kryptowire.com/disclosures/CVE-2016-6910/Factory_Resets_and_ObtainingTechnical DescriptionThird Party Advisory
http://www.securityfocus.com/bid/95092
http://www.kryptowire.com/disclosures/CVE-2016-6910/Factory_Resets_and_ObtainingTechnical DescriptionThird Party Advisory
http://www.securityfocus.com/bid/95092

FAQ

What is CVE-2016-6910?

CVE-2016-6910 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even aft...

How severe is CVE-2016-6910?

CVE-2016-6910 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-6910?

Check the references section above for vendor advisories and patch information. Affected products include: Google Android.