Critical Vulnerability: Remote Crash and Device Unusability via Malformed OTA WAP PUSH SMS on Samsung Galaxy S4-S7

Critical Vulnerability: Remote Crash and Device Unusability via Malformed OTA WAP PUSH SMS on Samsung Galaxy S4-S7

CVE-2016-7989 · HIGH Severity

AV:N/AC:L/AU:N/C:N/I:N/A:C

On Samsung Galaxy S4 through S7 devices, a malformed OTA WAP PUSH SMS containing an OMACP message sent remotely triggers an unhandled ArrayIndexOutOfBoundsException in Samsung's implementation of the WifiServiceImpl class within wifi-service.jar. This causes the Android runtime to continually crash, rendering the device unusable until a factory reset is performed, a subset of SVE-2016-6542.

Learn more about our Cis Benchmark Audit For Google Android.