CVE-2016-10481 in Android
Summary
by MITRE
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 600, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SD 850, and SDX20, if WLAN FW receives the WMI_STA_SMPS_PARAM_CMDID ioctl in not-associated state, when the virtual channel handle is not assigned, the code doesn't check for NULL virtual channel handle, so an assert occurs.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/27/2020
This vulnerability exists in Qualcomm Snapdragon mobile and wear platforms affecting Android versions prior to 2018-04-05 security patch level. The flaw manifests in the Wireless Local Area Network firmware implementation where a critical NULL pointer dereference occurs when processing the WMI_STA_SMPS_PARAM_CMDID ioctl command. The vulnerability specifically impacts devices utilizing various Snapdragon chipsets including MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 600, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SD 850, and SDX20. The technical implementation fails to validate the virtual channel handle before proceeding with operations, creating a condition where an assertion failure occurs when the handle is unexpectedly null. This represents a classic CWE-476 NULL Pointer Dereference vulnerability that can lead to system instability and potential denial of service conditions. The flaw is particularly concerning as it occurs during WLAN firmware processing when the device is not in an associated state, meaning the vulnerability can be triggered even when the wireless interface is not actively connected to a network. According to ATT&CK framework, this vulnerability maps to T1499.004 Network Denial of Service and potentially T1595.001 Network Configuration Discovery, as it affects the wireless subsystem's operational integrity. The vulnerability allows for a local privilege escalation scenario where a malicious actor could potentially exploit this NULL pointer dereference to cause system crashes or instability, thereby compromising the device's wireless connectivity and overall operational reliability. The impact extends beyond simple denial of service as it can affect the device's ability to maintain stable wireless connections and may provide a foothold for further exploitation attempts. The vulnerability was addressed through firmware updates and security patches released as part of the 2018-04-05 Android security update cycle, which implemented proper NULL pointer validation before attempting to access the virtual channel handle. Organizations should ensure all affected Snapdragon-based devices receive the appropriate security patches and consider monitoring for potential exploitation attempts targeting this specific wireless subsystem vulnerability. The flaw demonstrates the critical importance of input validation in embedded firmware implementations and highlights the need for robust error handling mechanisms in wireless communication stacks.