CVE-2016-6754

Published: Nov 25, 2016Modified: May 6, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process. Android ID: A-31217937.

Affected (6)

Products: Google: Android

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Google Android	Up to 6.0.1
Google Android	Version 5.0.1
Google Android	Version 5.0
Google Android	Version 5.1.0
Google Android	Version 5.1
Google Android	Version 6.0

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (6)

http://www.securityfocus.com/bid/94204

Source: security@android.com

https://source.android.com/security/bulletin/2016-11-01.html

Source: security@android.com

Vendor Advisory

https://www.exploit-db.com/exploits/40846/

Source: security@android.com

http://www.securityfocus.com/bid/94204

Source: af854a3a-2127-422b-91ae-364da2661108

https://source.android.com/security/bulletin/2016-11-01.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.exploit-db.com/exploits/40846/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.