CVE-2016-2427

Name of the Vulnerable Software and Affected Versions Android versions 5.x through 6.x

Description The AES-GCM specification in RFC 5084 recommends 12 octets for the aes-ICVlen parameter field, which might make it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application. However, the vendor disputes the existence of this potential issue in Android, stating that the insecure default value of 12 bytes was a default only for the encoding and not default anywhere else in Android.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.