CVE-2016-10424

Q: What is the severity of CVE-2016-10424?

CVE-2016-10424 has a CVSS score of 9.8 (CRITICAL). This CVE addresses multiple vulnerabilities in LibPNG library affecting Qualcomm Snapdragon chipsets in Android devices. Attackers could exploit these vulnerabilities to execute arbitrary code or cause denial of service. Affected devices include Android smartphones, wearables, and automotive systems with specific Qualcomm chipsets before the April 2018 security patch.

9.8 CRITICAL

📋 TL;DR

This CVE addresses multiple vulnerabilities in LibPNG library affecting Qualcomm Snapdragon chipsets in Android devices. Attackers could exploit these vulnerabilities to execute arbitrary code or cause denial of service. Affected devices include Android smartphones, wearables, and automotive systems with specific Qualcomm chipsets before the April 2018 security patch.

💻 Affected Systems

Products:

Android devices with Qualcomm Snapdragon chipsets

Versions: Android versions before April 2018 security patch (2018-04-05)

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects MDM9206, MDM9650, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 820, SD 820A, SD 835, SD 845, and SD 850 chipsets

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crashes, denial of service, or limited code execution within the context of the vulnerable application.

🟢

If Mitigated

Minimal impact if devices are patched and have proper application sandboxing in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires processing malicious PNG images, which could be delivered via web, email, or apps

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level 2018-04-05 or later

Vendor Advisory: https://source.android.com/security/bulletin/2018-04-01

Restart Required: Yes

Instructions:

1. Check device security patch level in Settings > About phone > Android security patch level. 2. If before April 2018, update to latest available Android version. 3. For enterprise devices, push security updates via MDM. 4. For OEMs, update LibPNG from 1.6.12 to 1.6.21 in firmware.

🔧 Temporary Workarounds

Disable PNG processing in vulnerable apps

all

Configure applications to avoid processing untrusted PNG images

Network filtering

all

Block PNG image downloads from untrusted sources at network perimeter

🧯 If You Can't Patch

Isolate affected devices from untrusted networks
Implement application whitelisting to prevent execution of untrusted applications

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If date is before 2018-04-05, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Confirm security patch level shows 2018-04-05 or later date

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing PNG files
Memory corruption errors in system logs

Network Indicators:

Unusual PNG file downloads to affected devices
Exploit kit traffic patterns

SIEM Query:

source="android_logs" AND ("png" OR "libpng") AND ("crash" OR "segfault" OR "memory corruption")

📊 Metadata

CVE ID: CVE-2016-10424

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: April 18, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory
http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mdm9206 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Sd 205 Firmware by Qualcomm

Sd 210 Firmware by Qualcomm

Sd 212 Firmware by Qualcomm

Sd 410 Firmware by Qualcomm

Sd 412 Firmware by Qualcomm

Sd 415 Firmware by Qualcomm

Sd 425 Firmware by Qualcomm

Sd 430 Firmware by Qualcomm

Sd 450 Firmware by Qualcomm

Sd 615 Firmware by Qualcomm

Sd 616 Firmware by Qualcomm

Sd 617 Firmware by Qualcomm

Sd 625 Firmware by Qualcomm

Sd 650 Firmware by Qualcomm

Sd 652 Firmware by Qualcomm

Sd 800 Firmware by Qualcomm

Sd 808 Firmware by Qualcomm

Sd 820 Firmware by Qualcomm

Sd 820a Firmware by Qualcomm

Sd 835 Firmware by Qualcomm

Sd 845 Firmware by Qualcomm

Sd 850 Firmware by Qualcomm