CVE-2004-2627

Vulnerability

Java 2 Micro Edition (J2ME) does not properly validate bytecode, allowing attackers to escape the Kilobyte Virtual Machine (KVM) sandbox. This flaw affects multiple mobile phone models, including the Nokia 6310i, and likely others running J2ME implementations from Sun Microsystems [2].

Exploitation

An attacker can exploit this vulnerability by delivering a malicious Java application to a target device, e.g., via SMS or download. No authentication is required. The exploit has been demonstrated on a Nokia 6310i handset, where the attacker's Java code executes outside the sandbox [2].

Impact

Successful exploitation leads to complete compromise of Java security on the device. Attackers can access phone data (contacts, SMS messages, dialed numbers), send arbitrary SMS messages, transfer data over the network, and write to permanent memory, potentially creating a backdoor or rendering the phone unusable [2].

Mitigation

No official patch or fix is disclosed in the available references. Users should avoid installing untrusted Java applications on affected devices. As this is an older vulnerability, modern devices may have addressed it through updated J2ME implementations.