Short study on the presence of type confusion vulnerabilities in the Java and Android runtimes
In this study we use PoC of the following vulnerabilities: CVE-2014-0456, CVE-2015-4843, CVE-2016-3587, CVE-2017-3272, CVE-2018-2826 and manually analyze the patch of the following vulnerabilies: CVE-2024-20919, CVE-2024-20921 to understand how many versions of OpenJDK and the Android runtime are impacted.
Results indicate that 95% of OpenJDK versions (1.6 to 21.0.4) and 71% of Android versions (2.3 to 15) are impacted. Results indicate that the lifetime is more than 3 years for four CVEs and up to 9 years for two CVEs.