cbcvebase.
CVE-2014-7911
published 2014-12-15

CVE-2014-7911: luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization…

PriorityP353high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
24.35%
97.6th percentile
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.

Affected

43 ranges· showing 25
VendorProductVersion rangeFixed in
googleandroid<= 4.4.4
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector targets the java.io.ObjectInputStream deserialization path in Android before 5.0.0; monitor for crafted Parcel/intent delivery to system_server containing serialized objects with malicious finalize methods
  • The known proof-of-concept abuses the finalize method of android.os.BinderProxy; detection should look for unexpected invocation of BinderProxy.finalize() triggered via deserialization in system_server context
  • ·Vulnerability is present only in Android versions before 5.0.0; systems running Android 5.0.0 or later are not affected by this specific flaw
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.