CVE-2024-10382

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-10382
There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.
CVSS

No CVSS.

References
Link Resource
https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03 Release Notes
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:google:androidx.car.app:*:*:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:1.7.0:alpha01:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:1.7.0:alpha02:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:1.7.0:beta01:*:*:*:*:*:*
History

04 Aug 2025, 14:11

Type Values Removed Values Added
CPE cpe:2.3:a:google:car:1.7.0:alpha02:*:*:*:*:*:*
cpe:2.3:a:google:car:1.7.0:beta01:*:*:*:*:*:*
cpe:2.3:a:google:car:1.7.0:alpha01:*:*:*:*:*:*
cpe:2.3:a:google:car:*:*:*:*:*:*:*:*		 cpe:2.3:a:google:androidx.car.app:1.7.0:alpha02:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:*:*:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:1.7.0:alpha01:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:1.7.0:beta01:*:*:*:*:*:*
First Time Google androidx.car.app

29 Jul 2025, 18:17

Type Values Removed Values Added
CPE cpe:2.3:a:google:car:1.7.0:alpha01:*:*:*:*:*:*
cpe:2.3:a:google:car:1.7.0:alpha02:*:*:*:*:*:*
cpe:2.3:a:google:car:*:*:*:*:*:*:*:*
cpe:2.3:a:google:car:1.7.0:beta01:*:*:*:*:*:*
References () https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03 - () https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03 - Release Notes
First Time Google
Google car

26 Nov 2024, 11:21

Type Values Removed Values Added
Summary There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02 There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

20 Nov 2024, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-20 11:15

Updated : 2025-08-04 14:11

NVD link : CVE-2024-10382

Mitre link : CVE-2024-10382

JSON object : View

Products Affected

google

  • androidx.car.app
CWE

No CWE.