CVE-2016-3861

Name: CVE-2016-3861
Creator: NVD / NIST
Published: 2016-09-11T21:59:03.1+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 11.17%

Last modified Jun 17, 2026

CVE-2016-3861 is a vulnerability of currently unknown severity. LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 mishandles conversions between Unicode character encodings with different encoding widths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted file, aka internal bug 29250543.. EPSS estimates a 11.17% chance of exploitation in the next 30 days.

Description

LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 mishandles conversions between Unicode character encodings with different encoding widths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted file, aka internal bug 29250543.

Metrics

EPSS Probability

11.17%

95.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Google	Android	4.0
Google	Android	4.0.1
Google	Android	4.0.2
Google	Android	4.0.3
Google	Android	4.0.4
Google	Android	4.1
Google	Android	4.1.2
Google	Android	4.2
Google	Android	4.2.1
Google	Android	4.2.2
Google	Android	4.3
Google	Android	4.3.1
Google	Android	4.4
Google	Android	4.4.1
Google	Android	4.4.2
Google	Android	4.4.3
Google	Android	5.0
Google	Android	5.0.1
Google	Android	5.1
Google	Android	5.1.0
Google	Android	6.0
Google	Android	6.0.1
Google	Android	7.0

References

http://source.android.com/security/bulletin/2016-09-01.htmlVendor Advisory
http://www.securityfocus.com/bid/92811
http://www.securitytracker.com/id/1036763
https://android.googlesource.com/platform/frameworks/av/+/3944c65637dfed14a5a895685edfa4bacaf9f76eIssue Tracking, Patch
https://android.googlesource.com/platform/frameworks/base/+/866dc26ad4a98cc835d075b627326e7d7e52ffa1Issue Tracking, Patch
https://android.googlesource.com/platform/frameworks/native/+/1f4b49e64adf4623eefda503bca61e253597b9bfIssue Tracking, Patch
https://android.googlesource.com/platform/system/core/+/ecf5fd58a8f50362ce9e8d4245a33d56f29f142bIssue Tracking, Patch
https://www.exploit-db.com/exploits/40354/
http://source.android.com/security/bulletin/2016-09-01.htmlVendor Advisory
http://www.securityfocus.com/bid/92811
http://www.securitytracker.com/id/1036763
https://android.googlesource.com/platform/frameworks/av/+/3944c65637dfed14a5a895685edfa4bacaf9f76eIssue Tracking, Patch
https://android.googlesource.com/platform/frameworks/base/+/866dc26ad4a98cc835d075b627326e7d7e52ffa1Issue Tracking, Patch
https://android.googlesource.com/platform/frameworks/native/+/1f4b49e64adf4623eefda503bca61e253597b9bfIssue Tracking, Patch
https://android.googlesource.com/platform/system/core/+/ecf5fd58a8f50362ce9e8d4245a33d56f29f142bIssue Tracking, Patch
https://www.exploit-db.com/exploits/40354/

Timeline

Published: Sep 11, 2016
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-3861?

How severe is CVE-2016-3861?

Severity scoring for CVE-2016-3861 is pending analysis. The EPSS model estimates a 11.17% probability of exploitation in the next 30 days.

How do I fix CVE-2016-3861?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-3861?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST