OnePlus - 15 CVEs (Page 1/1)

About “OnePlus”

A curated feed of “OnePlus”-related CVEs appears below. We currently track 15 CVEs for this tag (all time). In the last 365 days, 0 were published. Average CVSS is 7.0 (all time), and 40% are rated High/Critical (all time). Top CWEs (all time): CWE-319 - Cleartext Transmission of Sensitive Information, CWE-269 - Improper Privilege Management, CWE-862 - Missing Authorization.

In our taxonomy this topic maps to a LOW impact class. Mobile OS and devices protect account and app access. Update OS, enforce MDM policies, disable sideloading, and restrict developer options. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: oneplus

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL
15r	2025-12-22	-	2029-12-22	2031-12-31
15	2025-11-13	-	2029-11-13	2031-11-13
pad3	2025-06-05	-	2029-06-05	2031-06-19
13t	2025-04-24	-	2029-04-24	2031-04-24
13r	2025-01-07	-	2029-01-07	2031-01-07
13	2024-10-31	-	2028-10-31	2030-10-31
pad2	2024-07-16	-	2027-07-16	2028-07-16
12r	2024-01-23	-	2028-01-23	2029-01-23
12	2024-01-23	-	2028-01-23	2029-01-23
pad1	2023-05-01	-	2026-05-01	2026-05-01 Expired
11r	2023-02-07	-	2027-02-07	2028-02-07
11	2023-02-07	-	2027-02-07	2028-02-07

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “OnePlus” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2023-08-10

High

CVE-2023-26309

A remote code execution vulnerability in the webview component of OnePlus Store app.

CVSS: 7.4 CWE: N/A View on NVD

2020-10-09

Medium

CVE-2020-13626

OnePlus App Locker through 2020-10-06 allows physically proximate attackers to use Google Assistant to bypass an authorization check in order to send an SMS message when the SMS application is locked.

CVSS: 4.6 CWE: CWE-862 - Missing Authorization View on NVD

2020-04-14

Medium

CVE-2020-7958

An issue was discovered on OnePlus 7 Pro devices before 10.0.3.GM21BA. The firmware was found to contain functionality that allows a privileged user (root) in the Rich Execution Environment (REE) to…

CVSS: 6.0 CWE: N/A View on NVD

2018-03-29

Medium

CVE-2017-5947

An issue was discovered in OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS 5.0 and earlier. The attacker can reboot the device into the Qualcomm Emergency Download (EDL) mode through ADB or by…

CVSS: 6.8 CWE: N/A View on NVD

2017-08-03

Critical

CVE-2017-11105

The OnePlus 2 Primary Bootloader (PBL) does not validate the SBL1 partition before executing it, although it contains a certificate. This allows attackers with write access to that partition to disab…

CVSS: 9.8 CWE: N/A View on NVD

2017-05-11

Medium

CVE-2017-8851

An issue was discovered on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD

Medium

CVE-2017-8850

An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due to a lenient updater-script in the OnePlus OTA images, and the fact that both ROMs use the same OTA verification keys, attackers c…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD

Medium

CVE-2017-5948

An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check tha…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD

High

CVE-2016-10370

An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due t…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD

2017-04-25

Medium

CVE-2017-5625

In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except 'keystore') by…

CVSS: 4.6 CWE: CWE-476 - NULL Pointer Dereference View on NVD

2017-03-26

Medium

CVE-2017-5622

With OxygenOS before 4.0.3, when a charger is connected to a powered-off OnePlus 3 or 3T device, the platform starts with adbd enabled. Therefore, a malicious charger or a physical attacker can open…

CVSS: 5.9 CWE: CWE-276 - Incorrect Default Permissions View on NVD

2017-03-19

Medium

CVE-2017-5623

An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' i…

CVSS: 6.6 CWE: CWE-269 - Improper Privilege Management View on NVD

2017-03-12

Critical

CVE-2017-5626

OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking…

CVSS: 9.8 CWE: N/A View on NVD

Critical

CVE-2017-5624

An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot…

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD

2017-01-23

High

CVE-2017-5554

An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS before 4.0.2. The attacker can reboot the device into the fastboot mode, which could be done without any authentication. A physical attac…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD