{"id":"ASB-A-307288067","details":"In attributeBytesBase64 and attributeBytesHex of BinaryXmlSerializer.java, there is a possible arbitrary XML injection due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-307288067","CVE-2024-34740"],"modified":"2026-05-18T15:08:09.253695Z","published":"2024-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/700c28908051ceb55e1456d2d21229bc17c6895a"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/e8b6505647be558ed3a167a1e13c53dfc227d22b"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-08-01"}]}],"versions":["14-next"],"ecosystem_specific":{"severity":"High","types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/eebe3b8baf112082c3178ba7d17b5318c53b3b5f"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/libs/modules-utils","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-08-01"}]}],"versions":["14-next"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"signature_type":"Function","target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesHex"},"id":"ASB-A-307288067-8c8c1bf6","digest":{"length":305,"function_hash":"276202928956936777865925272387699035005"},"source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890","signature_version":"v1"},{"deprecated":false,"signature_type":"Function","target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"id":"ASB-A-307288067-97671524","digest":{"length":308,"function_hash":"123285881540088161321404136447312297041"},"source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890","signature_version":"v1"},{"deprecated":false,"signature_type":"Line","target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java"},"id":"ASB-A-307288067-c0884d18","digest":{"line_hashes":["283722049743732542501552246218868566890","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890","signature_version":"v1"}],"types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-08-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"signature_type":"Function","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"id":"ASB-A-307288067-91dae152","digest":{"length":308,"function_hash":"123285881540088161321404136447312297041"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"},{"deprecated":false,"signature_type":"Function","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesHex"},"id":"ASB-A-307288067-b4ba89ae","digest":{"length":305,"function_hash":"276202928956936777865925272387699035005"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"},{"deprecated":false,"signature_type":"Line","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java"},"id":"ASB-A-307288067-e213bdb3","digest":{"line_hashes":["215027096968947984660538355209230953530","292425170535058714301227834960314272490","141389441976109996511672681276036685866","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"}],"types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-08-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"signature_type":"Function","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"id":"ASB-A-307288067-2b5d7f9d","digest":{"length":308,"function_hash":"123285881540088161321404136447312297041"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"},{"deprecated":false,"signature_type":"Line","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java"},"id":"ASB-A-307288067-97756750","digest":{"line_hashes":["215027096968947984660538355209230953530","292425170535058714301227834960314272490","141389441976109996511672681276036685866","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"},{"deprecated":false,"signature_type":"Function","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesHex"},"id":"ASB-A-307288067-ae08b6e4","digest":{"length":305,"function_hash":"276202928956936777865925272387699035005"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"}],"types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-08-01"}]}],"versions":["13"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"signature_type":"Function","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesHex"},"id":"ASB-A-307288067-549f8e22","digest":{"length":305,"function_hash":"276202928956936777865925272387699035005"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"},{"deprecated":false,"signature_type":"Line","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java"},"id":"ASB-A-307288067-ac8a12dc","digest":{"line_hashes":["215027096968947984660538355209230953530","292425170535058714301227834960314272490","141389441976109996511672681276036685866","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"},{"deprecated":false,"signature_type":"Function","target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"id":"ASB-A-307288067-caff5f0f","digest":{"length":308,"function_hash":"123285881540088161321404136447312297041"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e","signature_version":"v1"}],"types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-08-01"}]}],"versions":["14"],"ecosystem_specific":{"severity":"High","types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/eebe3b8baf112082c3178ba7d17b5318c53b3b5f"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/libs/modules-utils","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-08-01"}]}],"versions":["14"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"signature_type":"Function","target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesHex"},"id":"ASB-A-307288067-879ac2af","digest":{"length":305,"function_hash":"276202928956936777865925272387699035005"},"source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890","signature_version":"v1"},{"deprecated":false,"signature_type":"Function","target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"id":"ASB-A-307288067-a15c9166","digest":{"length":308,"function_hash":"123285881540088161321404136447312297041"},"source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890","signature_version":"v1"},{"deprecated":false,"signature_type":"Line","target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java"},"id":"ASB-A-307288067-a83843b8","digest":{"line_hashes":["283722049743732542501552246218868566890","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890","signature_version":"v1"}],"types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}}],"schema_version":"1.7.5"}