You should now refer to this paper:
- Alexandre Bartel, "Bugfuscation", Nordic Conference on Secure IT Systems, 2025.
- Github repo: https://github.com/software-engineering-and-security/bugfu
- BibTeX:
@inproceedings{bartel2025bugfuscation,
title={Bugfuscation},
author={Bartel, Alexandre},
booktitle={Nordic Conference on Secure IT Systems},
pages={539--558},
year={2025},
organization={Springer}
}
Short study on the presence of type confusion vulnerabilities in the Java and Android runtimes
In this study we use PoC of the following vulnerabilities: CVE-2014-0456, CVE-2015-4843, CVE-2016-3587, CVE-2017-3272, CVE-2018-2826 and manually analyze the patch of the following vulnerabilies: CVE-2024-20919, CVE-2024-20921 to understand how many versions of OpenJDK and the Android runtime are impacted.
Results indicate that 95% of OpenJDK versions (1.6 to 21.0.4) and 71% of Android versions (2.3 to 15) are impacted. Results indicate that the lifetime is more than 3 years for four CVEs and up to 9 years for two CVEs.