CVE-2016-6492 Google CVE debrief

Who should care

Android OEMs and maintainers, device security teams, and enterprise admins responsible for Android fleets that include MediaTek-based devices. It is most relevant where apps from untrusted sources can be installed or where affected devices may still be in service.

Technical summary

NVD describes the flaw as a local privilege escalation in MT6573FDVT_SetRegHW within camera_fdvt.c in the MediaTek Linux driver. The attack vector is local with user interaction required (CVSS v3.0: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), and NVD maps the issue to CWE-264. The NVD CPE mapping indicates affected Android versions up to 7.1.0.

Defensive priority

High. Treat as urgent for any still-supported or still-deployed Android device that may include the affected MediaTek driver, because a local app path can lead to full privilege escalation.

Recommended defensive actions

• Confirm whether any deployed Android devices include the affected MediaTek camera_fdvt driver path and whether vendor firmware includes a fix.
• Apply the relevant Android/OEM security updates or backported patches as soon as they are available.
• Restrict installation of untrusted applications on managed devices and enforce mobile application allowlisting where practical.
• Prioritize retirement or isolation of unpatchable devices that remain within the affected Android version range.
• Review device security monitoring for signs of unexpected local privilege escalation or kernel/driver abuse.

Evidence notes

The description and NVD metadata support a local privilege-escalation issue in MediaTek's camera_fdvt.c driver, specifically MT6573FDVT_SetRegHW and the MT6573FDVTIOC_T_SET_FDCONF_CMD IOCTL. The NVD record lists CVSS v3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, maps the weakness to CWE-264, and associates the issue with Android versions through 7.1.0. MITRE/NVD references include an Android Security Bulletin entry and third-party advisory records.

Official resources