CVE-2017-13286
HIGHGoogle Android - Insecure Deserialization
Title source: ruleDescription
In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251.
Exploits (2)
github
WORKING POC
by slient2009 · javapoc
https://github.com/slient2009/CVE-PoCs/tree/main/CVE-2017-13286
Scores
CVSS v3
7.8
EPSS
0.0001
EPSS Percentile
1.7%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (2)
google/android
8.0
google/android
8.1
Published
Apr 04, 2018
Tracked Since
Feb 18, 2026