Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-3860

packages/Keyguard/res/layout/keyguard_password_view.xml in Lockscreen in Android 5.x before 5.1.1 LMY48M does not restrict the number of characters in the passwordEntry input field, which allows physically proximate attackers to bypass intended access restrictions via a long password that triggers a SystemUI crash, aka internal bug 22214934.

Published

2015-10-01T00:59:28.187

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.2 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Primary
CWE-284

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	google	android	≤ 5.1	Yes

References

http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/ Exploit ([email protected])
https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590 Vendor Advisory ([email protected])
https://code.google.com/p/android/issues/detail?id=178139 Exploit ([email protected])
https://groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ Vendor Advisory ([email protected])
http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/ Exploit (af854a3a-2127-422b-91ae-364da2661108)
https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://code.google.com/p/android/issues/detail?id=178139 Exploit (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)