Skip to main content

Use after Free due to Race Conditions in KGSL Module (CVE-2016-2504, CVE-2016-2503)

Release Date:

July 6, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:


CVE ID(s):



The following security vulnerabilities have been identified in QuIC-authored KGSL Linux Graphics Module. CVE-2016-2504 Because of allocation patterns it is possible to guess the ID or GPU address of an allocated memory buffer before it is returned to the user by a memory allocation operation. The user could use the guessed ID to “free” the buffer before the setup function was finished setting it up. --- CVE-2016-2503 If the ioctl syncsource_destroy is accessed by parallel threads, where the spinlock is acquired by threads after getting syncsource, then the simultaneous processes try to remove the already destroyed refcount of the syncsource, by the first thread that acquires this spinlock. This leads to race condition while removing syncsource.

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.


We advise customers to apply the following patches:

Individual Patches

for msm 3.4, 3.10:
for msm 3.18, 4.4:






Qualcomm Innovation Center, Inc. (QuIC) thanks Adam Donenfeld et al. (Check Point Software Technologies Ltd.) for reporting these issues and working with QuIC to help improve the security of QuIC products.


Updated on 2016-07-13