CVE-2017-0411

HIGH

Android 7.0 7.1.1 - Elevation of Privilege via Framework APIs Race Condition

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-0411. PoCs published by Google Security Research, lulusudoku.

AI-analyzed exploit summary This exploit leverages a deserialization vulnerability in Android's MemoryIntArray class to manipulate memory addresses and file descriptors, allowing an attacker to unmap critical memory regions in a remote process (e.g., system_server) by spoofing PID and memory address fields in a Parcel.

Description

An elevation of privilege vulnerability in the Framework APIs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-33042690.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdosandroid

https://www.exploit-db.com/exploits/41354

View Code ZIP pw:eip

This exploit leverages a deserialization vulnerability in Android's MemoryIntArray class to manipulate memory addresses and file descriptors, allowing an attacker to unmap critical memory regions in a remote process (e.g., system_server) by spoofing PID and memory address fields in a Parcel.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Android (affects versions up to 7.1.1)

No auth needed

Prerequisites: Access to a vulnerable Android device · Ability to send crafted Parcels/Bundles to a privileged process

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1555 - Credentials from Password Stores

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by lulusudoku · poc

https://github.com/lulusudoku/PoC

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2017-0411, an arbitrary unmap vulnerability in Android's MemoryIntArray. The exploit manipulates file descriptors and memory addresses to trigger uncontrolled unmapping in the ActivityManager service.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Android (versions affected by CVE-2017-0411)

No auth needed

Prerequisites: Access to an affected Android device · Ability to install and run the PoC application

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41354/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1037798

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96056

Vendor Advisory x_refsource_confirm

https://source.android.com/security/bulletin/2017-02-01.html

Scores

CVSS v3 7.8

EPSS 0.0287

EPSS Percentile 85.0%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-367

Status published

Products (5)

google/android 7.0

google/android 7.1.0

google/android 7.1.1

Google Inc./Android Android-7.0

Google Inc./Android Android-7.1.1

Published Feb 08, 2017

Tracked Since Feb 18, 2026