CVE-2014-7911

Name of the Vulnerable Software and Affected Versions Android versions prior to 5.0.0

Description The issue concerns the java.io.ObjectInputStream implementation in Android, where deserialization does not properly verify that the resulting object meets serialization requirements. This allows attackers to execute arbitrary code by crafting a finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system service. An example of exploitation is through the finalize method of android.os.BinderProxy.

Recommendations For Android versions prior to 5.0.0, update to version 5.0.0 or later to resolve the issue.