CVE-2016-2423 in Androidinfo

Summary

by MITRE

server/telecom/CallsManager.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider whether a device is provisioned, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26303187.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/13/2025

The vulnerability described in CVE-2016-2423 represents a critical security flaw in Android's telephony subsystem that undermines the Factory Reset Protection mechanism. This weakness exists within the server/telecom/CallsManager.java component of the Android operating system, specifically affecting versions prior to the mentioned security patches. The flaw stems from the system's failure to properly verify device provisioning status during critical operations, creating a pathway for unauthorized data manipulation. The vulnerability is particularly concerning because it can be exploited by attackers who are physically proximate to the target device, making it a significant risk in environments where device security is paramount.

The technical implementation of this vulnerability lies in the CallsManager.java file's improper handling of device provisioning states. When a device is provisioned, it should be considered as having completed initial setup and security configurations that protect against unauthorized access. However, the vulnerable code fails to perform adequate checks to determine whether the device has been properly provisioned before allowing certain operations to proceed. This oversight creates a scenario where malicious actors can exploit the system by manipulating call-related functions to bypass the Factory Reset Protection mechanism. The unspecified vectors mentioned in the description suggest that multiple attack paths may exist, potentially involving various telephony interfaces or system calls that interact with the provisioning state.

The operational impact of this vulnerability extends beyond simple data deletion capabilities, as it fundamentally compromises the device's security posture. Attackers who can physically access a device can leverage this flaw to bypass critical protection mechanisms that are designed to prevent unauthorized access after a factory reset. This creates a significant risk for users whose devices may be lost or stolen, as the vulnerability allows for complete data wiping without proper authentication. The Factory Reset Protection mechanism is specifically designed to prevent such scenarios, but this vulnerability undermines that protection entirely. The affected versions span multiple Android releases including 4.x through 6.x, indicating a widespread impact that would have affected millions of devices globally.

Mitigation strategies for this vulnerability require immediate system updates and patch management to ensure all affected Android versions receive the necessary security fixes. Organizations should prioritize deployment of the vendor-provided security patches that address the provisioning state checking mechanism in the CallsManager component. Additionally, users should be educated about the importance of keeping their devices updated and should avoid using devices that have not received the latest security updates. The vulnerability aligns with CWE-284 Access Control Issues, specifically related to insufficient checks for device provisioning status, and could be categorized under ATT&CK technique T1485 Data Destruction, as it enables unauthorized data deletion capabilities. Security teams should implement monitoring for unusual telephony-related activities that might indicate exploitation attempts, particularly in environments where physical security controls are insufficient.

Reservation

02/18/2016

Disclosure

04/17/2016

Moderation

accepted

Entry

VDB-81602

CPE

ready

EPSS

0.00180

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!