Login Sign Up

CVE-2016-10450

9.8 CRITICAL
Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability in the thermal service of Qualcomm chipsets allows attackers to execute arbitrary code with root privileges. This affects Android devices using specific Qualcomm Snapdragon and Small Cell SoCs before April 2018 security patches. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:
  • Android devices with Qualcomm Snapdragon Mobile, Snapdragon Wear, Small Cell SoC chipsets
Versions: Android versions before April 5, 2018 security patch level
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects specific Qualcomm chipsets: FSM9055, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDX20

📦 What is this software?

Fsm9055 Firmware by Qualcomm

View all CVEs affecting Fsm9055 Firmware →

Mdm9206 Firmware by Qualcomm

View all CVEs affecting Mdm9206 Firmware →

Mdm9607 Firmware by Qualcomm

View all CVEs affecting Mdm9607 Firmware →

Mdm9635m Firmware by Qualcomm

View all CVEs affecting Mdm9635m Firmware →

Mdm9640 Firmware by Qualcomm

View all CVEs affecting Mdm9640 Firmware →

Mdm9650 Firmware by Qualcomm

View all CVEs affecting Mdm9650 Firmware →

Msm8909w Firmware by Qualcomm

View all CVEs affecting Msm8909w Firmware →

Sd 205 Firmware by Qualcomm

View all CVEs affecting Sd 205 Firmware →

Sd 210 Firmware by Qualcomm

View all CVEs affecting Sd 210 Firmware →

Sd 212 Firmware by Qualcomm

View all CVEs affecting Sd 212 Firmware →

Sd 400 Firmware by Qualcomm

View all CVEs affecting Sd 400 Firmware →

Sd 410 Firmware by Qualcomm

View all CVEs affecting Sd 410 Firmware →

Sd 412 Firmware by Qualcomm

View all CVEs affecting Sd 412 Firmware →

Sd 415 Firmware by Qualcomm

View all CVEs affecting Sd 415 Firmware →

Sd 425 Firmware by Qualcomm

View all CVEs affecting Sd 425 Firmware →

Sd 430 Firmware by Qualcomm

View all CVEs affecting Sd 430 Firmware →

Sd 450 Firmware by Qualcomm

View all CVEs affecting Sd 450 Firmware →

Sd 615 Firmware by Qualcomm

View all CVEs affecting Sd 615 Firmware →

Sd 616 Firmware by Qualcomm

View all CVEs affecting Sd 616 Firmware →

Sd 617 Firmware by Qualcomm

View all CVEs affecting Sd 617 Firmware →

Sd 625 Firmware by Qualcomm

View all CVEs affecting Sd 625 Firmware →

Sd 650 Firmware by Qualcomm

View all CVEs affecting Sd 650 Firmware →

Sd 652 Firmware by Qualcomm

View all CVEs affecting Sd 652 Firmware →

Sd 800 Firmware by Qualcomm

View all CVEs affecting Sd 800 Firmware →

Sd 808 Firmware by Qualcomm

View all CVEs affecting Sd 808 Firmware →

Sd 810 Firmware by Qualcomm

View all CVEs affecting Sd 810 Firmware →

Sd 820 Firmware by Qualcomm

View all CVEs affecting Sd 820 Firmware →

Sd 835 Firmware by Qualcomm

View all CVEs affecting Sd 835 Firmware →

Sdx20 Firmware by Qualcomm

View all CVEs affecting Sdx20 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of affected Android devices, allowing attackers to install persistent malware, steal sensitive data, and control device functionality.

🟠

Likely Case

Privilege escalation leading to unauthorized access to system resources and potential data exfiltration.

🟢

If Mitigated

No impact if patched with April 2018 or later Android security updates.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access to device. No public exploit code available, but buffer overflow vulnerabilities in system services are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level April 5, 2018 or later

Vendor Advisory: https://source.android.com/security/bulletin/2018-04-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > Advanced > System update. 2. Install April 2018 or later security patch. 3. Reboot device after installation.

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict application whitelisting to limit attack surface

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If date is before April 5, 2018, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows April 5, 2018 or later date.

📡 Detection & Monitoring

Log Indicators:

  • Unusual thermal service crashes or restarts
  • Privilege escalation attempts in system logs
  • Unexpected root access events

Network Indicators:

  • Unusual outbound connections from system processes
  • Command and control traffic from device

SIEM Query:

source="android_system" AND (event="thermal_service_crash" OR event="privilege_escalation")

📊 Metadata

CVE ID: CVE-2016-10450
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: April 18, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-10450, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)