CVE-2015-1474

Android < 5.0 - Integer Overflow and Heap Corruption in GraphicBuffer::unflatten

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1474. PoCs published by p1gl3t.

AI-analyzed exploit summary This PoC exploits CVE-2015-1474 by crafting a malicious Parcel to crash SurfaceFlinger during deserialization, leveraging a modified screencap command. It manipulates the BufferQueue and BnGraphicBufferProducer to trigger the vulnerability.

Description

Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values.

Exploits (1)

nomisec WORKING POC 20 stars
by p1gl3t · poc
https://github.com/p1gl3t/CVE-2015-1474_poc

This PoC exploits CVE-2015-1474 by crafting a malicious Parcel to crash SurfaceFlinger during deserialization, leveraging a modified screencap command. It manipulates the BufferQueue and BnGraphicBufferProducer to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Android SurfaceFlinger (versions affected by CVE-2015-1474)
No auth needed
Prerequisites: Access to compile and run code on the target Android device · Modification of Binder.h to expose BBinder::onTransact
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72788
Third Party Advisory, VDB Entry mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Mar/63
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031875

Scores

EPSS 0.0374
EPSS Percentile 88.6%

Details

CWE
CWE-189
Status published
Products (1)
google/android < 5.0
Published Feb 16, 2015
Tracked Since Feb 18, 2026