CVE-2014-7911

Android < 4.4.4 - Remote Code Execution via Crafted Finalize Method in ObjectInputStream

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2014-7911. PoCs published by retme7, GeneBlue, heeeeen.

AI-analyzed exploit summary This is a local privilege escalation (LPE) exploit for CVE-2014-7911 targeting Android 4.4.4 on Nexus 5. It leverages deserialization vulnerabilities in the Android system service to escalate from an app context to system privileges, then chains with CVE-2014-4322 for root access.

Description

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.

Exploits (6)

nomisec WORKING POC 149 stars
by retme7 · poc
https://github.com/retme7/CVE-2014-7911_poc

This is a local privilege escalation (LPE) exploit for CVE-2014-7911 targeting Android 4.4.4 on Nexus 5. It leverages deserialization vulnerabilities in the Android system service to escalate from an app context to system privileges, then chains with CVE-2014-4322 for root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Android 4.4.4 (KTU8P) on Nexus 5
No auth needed
Prerequisites: Physical or local access to a vulnerable Nexus 5 device running Android 4.4.4 · Ability to sideload the exploit APK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by GeneBlue · poc
https://github.com/GeneBlue/cve-2014-7911-exp

This repository contains a proof-of-concept exploit for CVE-2014-7911, targeting a Java deserialization vulnerability in Android to achieve system privilege escalation. The exploit uses a custom ROP chain and chunk spraying technique to bypass memory protections.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Android 4.4.4 (Nexus 5)
No auth needed
Prerequisites: Android device running version 4.4.4 · Physical or remote access to deploy the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 9 stars
by heeeeen · poc
https://github.com/heeeeen/CVE-2014-7911poc

This PoC exploits CVE-2014-7911, a deserialization vulnerability in Android's BinderProxy, to achieve local privilege escalation by crafting a malicious serialized object and leveraging a ROP chain to execute arbitrary commands as the system user.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Android 4.4.4_r1 (Nexus 5)
No auth needed
Prerequisites: Physical or local access to the target device · Target device running Android 4.4.4_r1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by ele7enxxh · poc
https://github.com/ele7enxxh/CVE-2014-7911

This repository contains a functional proof-of-concept exploit for CVE-2014-7911, a local privilege escalation vulnerability in Android 4.4.4_r1. The exploit leverages heap spraying and a ROP chain to escalate privileges to the system user (uid=1000).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Android 4.4.4_r1 (Nexus 5)
No auth needed
Prerequisites: Physical access or ADB access to the target device · Target device must be running Android 4.4.4_r1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by koozxcv · poc
https://github.com/koozxcv/CVE-2014-7911-CVE-2014-4322_get_root_privilege

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2014-7911, targeting Android 4.4.4 on Nexus 5 devices. The exploit leverages deserialization and Binder manipulation to escalate privileges from an app context to system and then to root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Android 4.4.4 (KTU8P) on Nexus 5
No auth needed
Prerequisites: Physical or local access to a vulnerable Android device · Android 4.4.4 (KTU8P) on Nexus 5
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by koozxcv · poc
https://github.com/koozxcv/CVE-2014-7911

This PoC exploits CVE-2014-7911, a deserialization vulnerability in Android's BinderProxy class. It manipulates serialized data to trigger arbitrary code execution by exploiting the IUserManager service.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Android (versions affected by CVE-2014-7911)
No auth needed
Prerequisites: Access to an affected Android device · Ability to install and run the malicious APK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Nov/51

Scores

EPSS 0.2435
EPSS Percentile 97.6%

Details

CWE
CWE-264
Status published
Products (43)
google/android 1.0
google/android 1.1
google/android 1.5
google/android 1.6
google/android 2.0
google/android 2.0.1
google/android 2.1
google/android 2.2 (2 CPE variants)
google/android 2.2.1
google/android 2.2.2
... and 33 more
Published Dec 15, 2014
Tracked Since Feb 18, 2026