CVE-2018-9474Deserialization of Untrusted Data in Google Android

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 93.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Android
Timeline
PublishedNov 20

Description

In writeToParcel of MediaPlayer.java, there is a possible serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5google/android5 versions+4
NVDgoogle/android6 versions+5

Patches

Patch: source.android.com

🔴Vulnerability Details

1
GHSA
GHSA-pqf7-5pw8-wxvr: In writeToParcel of MediaPlayer2024-11-20

📋Vendor Advisories

1
Android
CVE-2018-9474: Android Security Bulletin 2018-09-01 CVE: CVE-2018-9474 Severity: HIGH Type: EoP Affected AOSP versions: 72018-09-01