PatchSiren cyber security CVE debrief

CVE-2016-8467 Google CVE debrief

CVE-2016-8467 is an Android bootloader vulnerability that can let a local attacker execute arbitrary modem commands on the device. The impact is availability-focused: the issue is described as a local permanent denial of service that may require reflashing the entire operating system, and NVD lists Android versions through 7.1.0 as vulnerable.

Vendor: Google
Product: CVE-2016-8467
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-13
Original CVE updated: 2026-05-13
Advisory published: 2017-01-13
Advisory updated: 2026-05-13

Who should care

Android device owners, OEMs, mobile fleet administrators, and security teams responsible for devices running Android 7.1.0 and earlier should pay attention, especially where physical or other local access to devices cannot be tightly controlled.

Technical summary

The CVE describes an elevation-of-privilege issue in the bootloader that allows a local attacker to issue arbitrary modem commands. NVD’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with the stated availability impact rather than data theft or integrity loss. NVD’s CPE criteria mark Android up to version 7.1.0 as vulnerable, and the recorded weakness category is CWE-264.

Defensive priority

High for affected Android fleets, because the failure mode can be a permanent or near-permanent denial of service and recovery may require reflashing the OS.

Recommended defensive actions

Apply the Android security bulletin fixes referenced for 2017-01-01 and verify that the affected bootloader/modem components are updated by the OEM.
Inventory Android devices at or below the vulnerable version range listed by NVD and prioritize those still in active service.
Restrict local access to managed devices where possible, since the attack requires local privileges.
Use OEM-approved recovery and reflash procedures for incident response planning, because the impact may be persistent without a full OS reflash.
Validate that device support channels are available for firmware and bootloader remediation before deployment to production fleets.

Evidence notes

Core facts come from the CVE description and NVD metadata: local attacker, arbitrary modem commands, permanent denial of service, Android vulnerability scope, CVSS 5.5/AV:L/PR:L/UI:N/A:H, and CWE-264. The Android security bulletin is the vendor advisory/patch reference in the source corpus. The publishedAt timestamp (2017-01-13) is the CVE record publication time used for disclosure context; the later modifiedAt timestamp is only a record update and not the original issue date.

Official resources

CVE-2016-8467 CVE record
CVE.org
CVE-2016-8467 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

Publicly disclosed in the CVE/NVD record on 2017-01-13, with the Android bulletin referenced by NVD as the vendor advisory and patch source.