Vignesh Venkatasubramanian

**Name of the Vulnerable Software and Affected Versions** libvpx versions prior to those included in Android 4.4.4, 5.0.2, 5.1.1, and 7.0 (after 2016-09-01) **Description** The issue allows remote attackers to cause a denial of service, resulting in a buffer over-read, and potentially causing the device to hang or reboot, via a crafted media file. **Recommendations** For versions prior to those included in Android 4.4.4, update to Android 4.4.4 or later. For versions 5.0.x prior to 5.0.2, update to Android 5.0.2 or later. For versions 5.1.x prior to 5.1.1, update to Android 5.1.1 or later. For versions 6.x before 2016-09-01, update to a version released after 2016-09-01. For versions 7.0 before 2016-09-01, update to a version released after 2016-09-01.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 2016-09-01 patch **Description** The issue allows attackers to bypass an intended always-on VPN state via a crafted application due to improper enforcement of the DISALLOW CONFIG VPN setting in the SettingsProvider.java file. **Recommendations** For Android versions prior to 2016-09-01 patch, consider restricting access to the `SettingsProvider.java` file or the DISALLOW CONFIG VPN setting to minimize the risk of exploitation until a patch is available.