CVE-2016-6604 Google CVE debrief

Who should care

Organizations that deploy Samsung Exynos-based Android devices, especially environments still running or supporting Android L and M builds, should treat this as high priority. Mobile device management teams, OEM support teams, and security responders responsible for Android fleet risk should review exposure against Samsung’s advisory and NVD detail.

Technical summary

The vulnerability is a NULL pointer dereference in the Samsung Exynos fimg2d driver. The NVD record assigns CWE-476 and a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The source corpus indicates the vulnerable component is samsung:exynos_fimg2d, while the Android version entries in the NVD CPE list are marked non-vulnerable in the product mapping. The safe takeaway is that the driver flaw is the affected component, and any impacted Samsung Exynos Android deployment should be validated against vendor guidance.

Defensive priority

Critical. Treat as urgent for any potentially exposed Samsung Exynos Android fleet, especially legacy Android L/M devices or devices that may include the affected driver stack.

Recommended defensive actions

• Check whether any managed devices, embedded builds, or OEM images include the Samsung Exynos fimg2d driver component referenced by NVD.
• Review Samsung’s SMR-AUG-2016 advisory and the related OSS-security references for vendor guidance and remediation context.
• Prioritize inventory of legacy Android L and M devices, since the published description specifically cites those platforms.
• If exposure is confirmed, apply the vendor-provided fix or firmware update path from Samsung rather than relying on application-layer mitigations.
• Use MDM/asset inventory to identify affected Samsung Exynos hardware models and remove or isolate unsupported devices until remediated.

Evidence notes

This debrief is grounded in the NVD record and the referenced Samsung/OSS-security advisories. The source corpus states: NULL pointer dereference in Samsung Exynos fimg2d; Samsung ID SVE-2016-6382; Android L (5.0/5.1) and M (6.0) mentioned in the description; CVSS 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; and CWE-476. The NVD CPE criteria mark samsung:exynos_fimg2d as vulnerable. Note that the vendor/product mapping in the supplied data is mixed: the issue is in a Samsung driver, while the vendor field from CPE resolution shows Google for Android OS entries that are not marked vulnerable. No exploit instructions or unverified remediation details are included.

Official resources