CVE-2016-0848

Name of the Vulnerable Software and Affected Versions Android versions 4.x through 4.4.4 Android versions 5.0.x through 5.0.2 Android versions 5.1.x through 5.1.1 Android versions 6.x before 2016-04-01

Description The issue allows attackers to bypass private-storage file-access restrictions via a crafted application that changes a symlink target. This can be demonstrated by obtaining Signature or SignatureOrSystem access. The vulnerability exists due to insufficient checking of the state of a shared resource, which can be exploited by a local attacker to bypass existing restrictions on access to private files using a specially crafted application that changes a link.

Recommendations For Android versions 4.x through 4.4.4, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.2, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.1, update to version 5.1.1 or later. For Android versions 6.x before 2016-04-01, update to a version released after 2016-04-01.