Skip to main content

Buffer overflow vulnerability in wcnss_wlan_write (CVE-2016-5342)

Release Date:

August 29, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:


CVE ID(s):



If wcnss_wlan_write is called with more data than was originally allocated, a buffer overflow occurs. The wcnss_service which is running in user space sends a 4-byte value to wcnss platform driver and it allocates a buffer with that size. Later wcnss_service will send calibrated data using file write function on "/dev/wcnss_wlan" device node which never exceeds the allocated size, but as "/dev/wcnss_wlan" device node is open, any entity could write on this device node and write more data which results in buffer overflow.

Access Vector: Local
Security Risk: Medium
Access Vector: Local

Affected Versions:

All Android releases from CAF using the following heads: KitKat, Lollipop, Marshmallow


We advise customers to apply the following patches:

Individual Patches


We thank Chiachih Wu of C0RE Team for bringing this issue to our attention.


Initial revision