CVE-2016-2461

Name of the Vulnerable Software and Affected Versions Conscrypt in Android versions prior to 2016-05-01

Description The issue is related to the mishandling of resets of the Additional Authenticated Data (AAD) array in the OpenSSLCipher.java component of Conscrypt. This allows attackers to spoof message authentication. The vulnerability is also described as being related to insufficient access control, which can be exploited by a remote attacker to substitute authentication messages.

Recommendations For Conscrypt in Android versions prior to 2016-05-01, update the Conscrypt component to a version released after 2016-05-01 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.