CVE-2017-0451 Linux CVE debrief

Who should care

Android OEMs, device fleet operators, mobile security teams, and kernel maintainers responsible for devices using affected Android builds or Qualcomm sound driver components should prioritize this advisory. Security teams handling rooted, privileged, or otherwise high-trust Android processes should also review it because the vendor description indicates a privileged-process prerequisite.

Technical summary

The weakness is an information disclosure in the Qualcomm sound driver. The NVD record maps it to CWE-200 and lists affected Android versions up to 7.1.1, plus Linux kernel 3.10 and 3.18 CPEs. The CVSS vector in NVD is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating local conditions, high complexity, and user interaction. The Android bulletin states the practical risk is limited by the need to first compromise a privileged process.

Defensive priority

Medium

Recommended defensive actions

• Apply the Android Security Bulletin 2017-02-01 updates or OEM-equivalent patches for affected devices.
• Verify whether any deployed Android 7.1.1-or-earlier builds, or kernel 3.10/3.18-based products, include the Qualcomm sound driver fix.
• Prioritize patching devices that run sensitive, privileged, or vendor-supplied system processes.
• Review fleet exposure to legacy Android and embedded Linux builds that may still carry the affected kernel branches.
• Track device vendor backports and confirm the fix is present in OEM firmware images, not just in upstream advisories.

Evidence notes

Primary evidence comes from the NVD record for CVE-2017-0451, which lists the vulnerability as CWE-200 and provides the affected CPEs and CVSS vector. The Android security bulletin referenced by NVD is the vendor advisory source tied to this issue. The CVE was published on 2017-02-08 and later modified on 2026-05-13; those dates are used only as disclosure/timeline context.

Official resources