Zygote command injection allows code execution as any app via WRITE_SECURE_SETTINGS or Signed Config

2024-06-0100:00:00

Google

osv.dev

zygote command injection

code execution

write_secure_settings

signed config

unsafe deserialization

zygoteprocess.java

local privilege escalation

user interaction

7.5 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

In multiple functions of ZygoteProcess.java, there is a possible way to achieve code execution as any app via WRITE_SECURE_SETTINGS due to unsafe deserialization. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

CPENameOperatorVersion
platform/frameworks/baseeq12
platform/frameworks/baseeq14
platform/frameworks/baseeq12L
platform/frameworks/baseeq13

Name	Operator	Version
platform/frameworks/base	eq	12
platform/frameworks/base	eq	14
platform/frameworks/base	eq	12L
platform/frameworks/base	eq	13

References

android.googlesource.com/platform/frameworks/base/+/e25a0e394bbfd6143a557e1019bb7ad992d11985

source.android.com/security/bulletin/2024-06-01