CVE-2016-0818

Name of the Vulnerable Software and Affected Versions Conscrypt versions prior to 4.4.4 in Android 4.x Conscrypt versions prior to 5.1.1 LMY49H in Android 5.x Conscrypt versions prior to 2016-03-01 in Android 6.x

Description The caching functionality in the TrustManagerImpl class in Conscrypt mishandles the distinction between an intermediate CA and a trusted root CA. This issue allows man-in-the-middle attackers to spoof servers by leveraging access to an intermediate CA to issue a certificate. The vulnerability is related to errors in security settings and can be exploited by a remote attacker to substitute servers using access to intermediate certificate centers.

Recommendations For Conscrypt in Android 4.x, update to version 4.4.4 or later. For Conscrypt in Android 5.x, update to version 5.1.1 LMY49H or later. For Conscrypt in Android 6.x, update to a version released after 2016-03-01.