Vulnerability Description
OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oneplus | Oxygenos | <= 3.2.8 |
| Oneplus | Oneplus 3 | - |
| Oneplus | Oneplus 3T | - |
References
- https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/ExploitTechnical DescriptionThird Party Advisory
- https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/ExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2017-5626?
CVE-2017-5626 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking'...
How severe is CVE-2017-5626?
CVE-2017-5626 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-5626?
Check the references section above for vendor advisories and patch information. Affected products include: Oneplus Oxygenos, Oneplus Oneplus 3, Oneplus Oneplus 3T.