CVE-2014-7951

MEDIUM

Android 4.0.4 - Path Traversal and Arbitrary File Write via ADB Backup Tar Headers

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-7951. PoCs published by Imre Rad.

AI-analyzed exploit summary This writeup describes a path traversal vulnerability in Android's ADB backup functionality (CVE-2014-7951), allowing file overwrite on writable partitions by manipulating tar headers. It affects pre-Lollipop Android versions under specific conditions.

Description

Directory traversal vulnerability in the Android debug bridge (aka adb) in Android 4.0.4 allows physically proximate attackers with a direct connection to the target Android device to write to arbitrary files owned by system via a .. (dot dot) in the tar archive headers.

Exploits (1)

exploitdb WRITEUP
by Imre Rad · textlocalhardware
https://www.exploit-db.com/exploits/36813

This writeup describes a path traversal vulnerability in Android's ADB backup functionality (CVE-2014-7951), allowing file overwrite on writable partitions by manipulating tar headers. It affects pre-Lollipop Android versions under specific conditions.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Android (pre-5.0 Lollipop)
Auth required
Prerequisites: ADB access · writable partition · pre-Lollipop Android version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/131510/ADB-Backup-Traversal-File-Overwrite.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/36813/
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2015/Apr/51
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/74211

Scores

CVSS v3 4.6
EPSS 0.0107
EPSS Percentile 60.6%
Attack Vector PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
google/android 4.0.4
Published Feb 20, 2020
Tracked Since Feb 18, 2026