The April 2017 Android Security Bulletin is out, and makes Android Qualcomm and Broadcom Firmware look like the WTC straight after 9/11. At this rate we have exhausted the four digit CVE counter for 2017 before Pentecost.
We already know MediaServer is a piece of swiss cheese, but this is about CameraBase, Audioserver, SurfaceFlinger,Telephony, Factory Reset (sic!) and Broadcomm, Qualcomm, NVIDIA, HTC and MediaTek Firmware problems as well.
Much of that is available as binary blob only and never has seen a systematic audit, ever. Hence the CVE list. Multiple Critical, plenty of High.
Your phone does get updates and fixes, does it?