PatchSiren cyber security CVE debrief

CVE-2017-0446 Google CVE debrief

CVE-2017-0446 is a high-severity Android elevation-of-privilege issue affecting the HTC touchscreen driver path. The published description says a local malicious application could execute arbitrary code in the kernel context, but exploitation is not a simple one-step local bug: it first requires compromising a privileged process. That combination makes the issue especially important on devices where the affected driver stack is present, because kernel-context compromise can undermine the integrity of the whole device.

Vendor: Google
Product: CVE-2017-0446
CVSS: HIGH 7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-08
Original CVE updated: 2026-05-13
Advisory published: 2017-02-08
Advisory updated: 2026-05-13

Who should care

Android platform teams, OEM/device maintainers, kernel and driver security owners, and fleet defenders responsible for devices using the HTC touchscreen driver stack or Android kernel 3.18 builds listed as vulnerable in NVD.

Technical summary

The CVE description identifies an elevation-of-privilege condition in the HTC touchscreen driver. NVD classifies the attack as local with high complexity and user interaction, and the impact vector is confidentiality, integrity, and availability high. The record also lists vulnerable CPEs for Android up to 7.1.1 and Linux kernel 3.18. The weakness mapping is not specific beyond NVD-CWE-noinfo, so defenders should treat this as a driver/kernel memory or privilege boundary issue rather than assume a single root cause.

Defensive priority

High

Recommended defensive actions

Apply the Android vendor security bulletin fixes referenced for this CVE and verify the affected build is no longer in use.
Inventory devices and kernels that match the vulnerable CPEs, especially Android builds up to 7.1.1 and Linux kernel 3.18.
Prioritize devices or product lines that include the HTC touchscreen driver path identified in the CVE description.
Reduce exposure to privileged-process compromise paths, since the CVE description says exploitation depends on first compromising a privileged process.
Use kernel hardening, least-privilege app controls, and prompt patch deployment to limit the impact of local driver escalation bugs.

Evidence notes

Source corpus states: "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel." It also states: "This issue is rated as High because it first requires compromising a privileged process." NVD metadata lists CVSS vector CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, vulnerable CPEs for android up to 7.1.1 and linux_kernel 3.18, and weakness NVD-CWE-noinfo. The Android security bulletin reference is included in the corpus as the vendor advisory/patch reference.

Official resources

CVE-2017-0446 CVE record
CVE.org
CVE-2017-0446 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

CVE published 2017-02-08. The supplied record was last modified 2026-05-13. The Android Security Bulletin reference in the corpus is dated 2017-02-01; this is advisory context, not the CVE publication date.