CVE-2011-3874

Name of the Vulnerable Software and Affected Versions Android versions 2.2.x through 2.2.2 Android versions 2.3.x through 2.3.6

Description The issue is a stack-based buffer overflow in libsysutils. It allows remote attackers to execute arbitrary code via an application that calls the FrameworkListener::dispatchCommand method with the wrong number of arguments. This can trigger a use-after-free error, as demonstrated by the zergRush exploit.

Recommendations For Android versions 2.2.x through 2.2.2, update to a version outside of this range to resolve the issue. For Android versions 2.3.x through 2.3.6, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of the FrameworkListener::dispatchCommand method until a patch is available.