media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26323455.
Conclusion & alert: CVE-2016-2419 is rated Moderate Risk (57.9/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.80%).Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2016-2419
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
CVE-2016-2419 medium priority: Ubuntu including 1 source packages (android), 9 status rows across 9 suites (artful, bionic, precise, trusty, upstream, wily, xenial, yakkety, zesty): DNE 4, ignored 4, released 1.