{"id":"ASB-A-307288067","details":"In attributeBytesBase64 and attributeBytesHex of BinaryXmlSerializer.java, there is a possible arbitrary XML injection due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-307288067","CVE-2024-34740"],"modified":"2026-05-18T15:08:09.253695Z","published":"2024-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/700c28908051ceb55e1456d2d21229bc17c6895a"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/e8b6505647be558ed3a167a1e13c53dfc227d22b"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-08-01"}]}],"versions":["14-next"],"ecosystem_specific":{"types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/eebe3b8baf112082c3178ba7d17b5318c53b3b5f"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/libs/modules-utils","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-08-01"}]}],"versions":["14-next"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesHex"},"digest":{"function_hash":"276202928956936777865925272387699035005","length":305},"id":"ASB-A-307288067-8c8c1bf6","source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"digest":{"function_hash":"123285881540088161321404136447312297041","length":308},"id":"ASB-A-307288067-97671524","source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java"},"digest":{"threshold":0.9,"line_hashes":["283722049743732542501552246218868566890","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"]},"id":"ASB-A-307288067-c0884d18","source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"}],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-08-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"digest":{"function_hash":"123285881540088161321404136447312297041","length":308},"id":"ASB-A-307288067-91dae152","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesHex"},"digest":{"function_hash":"276202928956936777865925272387699035005","length":305},"id":"ASB-A-307288067-b4ba89ae","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java"},"digest":{"threshold":0.9,"line_hashes":["215027096968947984660538355209230953530","292425170535058714301227834960314272490","141389441976109996511672681276036685866","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"]},"id":"ASB-A-307288067-e213bdb3","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"}],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-08-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"digest":{"function_hash":"123285881540088161321404136447312297041","length":308},"id":"ASB-A-307288067-2b5d7f9d","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java"},"digest":{"threshold":0.9,"line_hashes":["215027096968947984660538355209230953530","292425170535058714301227834960314272490","141389441976109996511672681276036685866","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"]},"id":"ASB-A-307288067-97756750","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesHex"},"digest":{"function_hash":"276202928956936777865925272387699035005","length":305},"id":"ASB-A-307288067-ae08b6e4","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"}],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-08-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesHex"},"digest":{"function_hash":"276202928956936777865925272387699035005","length":305},"id":"ASB-A-307288067-549f8e22","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java"},"digest":{"threshold":0.9,"line_hashes":["215027096968947984660538355209230953530","292425170535058714301227834960314272490","141389441976109996511672681276036685866","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"]},"id":"ASB-A-307288067-ac8a12dc","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"core/java/com/android/internal/util/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"digest":{"function_hash":"123285881540088161321404136447312297041","length":308},"id":"ASB-A-307288067-caff5f0f","source":"https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"}],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f04963358987679cb4cbab085ec78c1b5e0ed0e"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-08-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/eebe3b8baf112082c3178ba7d17b5318c53b3b5f"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}},{"package":{"name":"platform/frameworks/libs/modules-utils","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-08-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesHex"},"digest":{"function_hash":"276202928956936777865925272387699035005","length":305},"id":"ASB-A-307288067-879ac2af","source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java","function":"attributeBytesBase64"},"digest":{"function_hash":"123285881540088161321404136447312297041","length":308},"id":"ASB-A-307288067-a15c9166","source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"java/com/android/modules/utils/BinaryXmlSerializer.java"},"digest":{"threshold":0.9,"line_hashes":["283722049743732542501552246218868566890","124536555656711251714595757169315741186","122184924213693488507879712964387799493","112442495831665481300647493341313298518","185107612995023145594395780461092034037","146258699207377061517294099540023252159","78225582879338290131721514303224868112","84475282677288083217541497316840726603","185107612995023145594395780461092034037"]},"id":"ASB-A-307288067-a83843b8","source":"https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"}],"spl":"2024-08-01","fixes":["https://android.googlesource.com/platform/frameworks/libs/modules-utils/+/8207203d4ee4210032a5d4e94d3cbf4635d7a890"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-307288067.json"}}],"schema_version":"1.7.5"}