CVE-2024-10382

HIGH

androidx.car.app < 1.7.0-beta02 - Remote Code Execution via Untrusted Deserialization

Title source: llm

Description

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

References (1)

Core 1

Core References

Release Notes

https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 16.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502 CWE-94

Status published

Products (2)

google/androidx.car.app 1.7.0 alpha01 (3 CPE variants)

google/androidx.car.app < 1.4.0

Published Nov 20, 2024

Tracked Since Feb 18, 2026