CVE-2016-4547 Samsung CVE debrief

Who should care

Samsung mobile fleet owners, Android enterprise administrators, carrier support teams, and security teams responsible for Samsung devices on Android 4.4, 5.0, 5.1, or 6.0 should treat this as a priority availability issue.

Technical summary

The NVD entry maps this vulnerability to CWE-20 and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The affected products listed are Samsung mobile devices running Android KK 4.4, L 5.0/5.1, and M 6.0. The described trigger is a crafted system call to TvoutService_C that can cause a system crash, indicating an input-validation failure in a device-facing code path.

Defensive priority

High. This is a remotely reachable, unauthenticated denial-of-service condition on affected Samsung Android builds, so patching or compensating controls should be prioritized for exposed or widely deployed fleets.

Recommended defensive actions

• Inventory Samsung devices running Android 4.4, 5.0, 5.1, or 6.0 and confirm whether they are affected.
• Apply Samsung vendor updates or platform updates that address the issue, if available for the device line.
• If patching is not immediately possible, limit exposure of affected devices to untrusted inputs and monitor for unexpected crashes or reboots.
• Use MDM/endpoint management to segment or restrict high-risk devices until remediation is complete.
• Track Samsung security bulletins and the referenced vendor advisory for device-specific remediation guidance.

Evidence notes

The NVD record published with the CVE lists Samsung mobile CPEs for Android 4.4, 5.0, 5.1, and 6.0, and describes the crash trigger as a crafted system call to TvoutService_C. NVD also assigns CWE-20 and CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied references point to Samsung's SMR-FEB-2016 advisory and an oss-security mailing-list post dated 2016-05-06, which supports earlier public disclosure before the CVE publication date of 2017-02-13.

Official resources