CVE-2025-32312 - Exploiting Unsafe Deserialization in PackageParser’s createIntentsList — Local Privilege Escalation on Android

---

A new Android vulnerability, CVE-2025-32312, has made waves in mobile security. This bug exists inside Android’s essential package parsing component—PackageParser.java. Specifically, it impacts the createIntentsList method. Using a poorly-secured deserialization process, attackers can send manipulated data to Android’s next process. The results? Local privilege escalation, even without extra execution rights or any user interaction.

This post breaks down the bug, demonstrates proof-of-concept code, provides insight into the exploitation process, and points you to original discussions and fixes.

1. Understanding the Bug

In Android, apps are bundled as APKs. The system needs to read and “parse” the details (like permissions or intent-filters) from these APK files. That’s where PackageParser comes into play. Its createIntentsList method helps read and reconstruct information about “intents”—bundles of data apps use to communicate.

The issue lies in the unsafe deserialization of Intent data. When createIntentsList receives a serialized bundle, it doesn’t properly validate or sanitize the data before using it. This lack of hardening—also called “lazy bundle hardening”—means malicious data structures can sneak past security checks.

2. Where is the Vulnerable Code?

Here’s a simplified snippet of how the vulnerable section in PackageParser.java might look before the patch.

// PackageParser.java

private static List<Intent> createIntentsList(Bundle bundle) {
    if (bundle == null) return null;
    ArrayList<Intent> intents = bundle.getParcelableArrayList("intents"); // <-- DANGER!
    // No validation, directly using input
    return intents;
}

What’s Wrong?

getParcelableArrayList directly reads the incoming data, which may have been tampered with by malicious actors, resulting in unsafe objects being brought to life inside a privileged process.

3. Exploitation Flow

The bug allows a “local” attacker (one with a basic Android app running on the target device) to smuggle in custom/forged intent objects. These can abuse internal logic, escalate privileges, and affect system-level services.

An attack might look like

1. Crafting a malicious APK: An attacker creates an APK that includes a specially-crafted intents ArrayList in its metadata.
2. Triggering the parser: When the device tries to install or scan the APK, Android’s PackageParser component deserializes this data *without validating* it.
3. Privilege escalation: The rogue intents can trigger code paths meant only for privileged or system apps—effectively “jumping” app boundaries.

4. Proof-of-Concept (POC)

Below is a simplified pseudo-POC—actual exploitation would require careful construction of malicious Parcelable objects.

// Attacker's APK - AndroidManifest.xml [pseudo-snippet]
// Create dangerous intent structure and inject it as meta-data

<application>
    <meta-data
        android:name="intents"
        android:value='[maliciously crafted serialized Intent objects]' />
</application>

Inside app code

// AttackerApp.java
Intent malInt = new Intent();
malInt.setComponent(new ComponentName("system.package", "system.class"));
// --- Set fields to escalate privilege or trigger system-only actions

ArrayList<Intent> malIntents = new ArrayList<>();
malIntents.add(malInt);

Bundle maliciousBundle = new Bundle();
maliciousBundle.putParcelableArrayList("intents", malIntents);
// Write this bundle inside APK meta-data or via inter-process communication

When the PackageParser receives and processes this bundle, it simply reconstructs the incoming data without checks, allowing the malicious intent to run in a system-level context.

Android Security Bulletin (June 2025):

- Official CVE page: CVE-2025-32312 on NVD

Public discussion and patch diff:

- Google Android Issue Tracker #32312
- AOSP Patch

Additional Technical Writeups:

- Project Zero: Unsafe Deserialization Bugs In Android Parsers
- OWASP: Insecure Deserialization

Google patched this in AOSP by adding

- Input Hardening: Strict validation and type-checking of every element in the incoming intent list.

Signature Checks: Preventing non-system apps from passing arbitrary Parcelable objects.

Developers: If your app parses bundles or intent lists from untrusted sources, always validate content before deserialization!

7. Summary Table

| Name | CVE-2025-32312 |
|------------------|--------------------------------------------------------------------|
| Affected Module | Android PackageParser.java (createIntentsList) |
| Impact | Local Privilege Escalation |
| Prerequisites | None (No user interaction, no extra permissions beyond basics) |
| Exploitable By | Malicious APK or local app |
| Fixed In | June 2025 Android Security Patch |

8. Final Thoughts

CVE-2025-32312 is a stern reminder to rigorously validate and sanitize all serialized data, especially when it crosses privilege boundaries. Attackers are always looking for overlooked “lazy” code paths. The fix is out, so patch your Android devices—and double-check your own app’s handling of Intents and Bundles.

If you want more technical detail or wish to check if your device is vulnerable, refer to the links above or reach out to your device maker for patch status.


*Stay secure, validate inputs, and keep your devices updated!*


*This post is unique and specially created for this request—please credit if you share or re-use!*

Timeline

Published on: 09/04/2025 18:15:46 UTC
Last modified on: 09/05/2025 19:14:29 UTC