CVE-2016-6910

Published: Dec 23, 2016Modified: May 6, 2026

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

The non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even after the device has been upgraded to an Android 5.1.1 or 6.0.1 build. The vulnerable system app gives a non-existent app the ability to read the notifications from the device, which a third-party app can utilize if it uses a package name of com.samsung.android.app.portalservicewidget. This vulnerability allows an unprivileged third-party app to obtain the text of the user's notifications, which tend to contain personal data.

Affected (3)

Products: Google: Android

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 5.0.2
Google Android	Version 5.1.1
Google Android	Version 6.0.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

http://www.kryptowire.com/disclosures/CVE-2016-6910/Factory_Resets_and_Obtaining_Notifications_on_Samsung_Android_Devices.pdf

Source: cve@mitre.org

Technical DescriptionThird Party Advisory

http://www.securityfocus.com/bid/95092

Source: cve@mitre.org

http://www.kryptowire.com/disclosures/CVE-2016-6910/Factory_Resets_and_Obtaining_Notifications_on_Samsung_Android_Devices.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Technical DescriptionThird Party Advisory

http://www.securityfocus.com/bid/95092

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.