CVE-2024-34730

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In multiple locations, there is a possible bypass of user consent to enabling new Bluetooth HIDs due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-34730 is a logic error vulnerability present in multiple locations within Android's Bluetooth stack, enabling a bypass of user consent when pairing new Bluetooth Human Interface Devices (HIDs). This flaw, tagged under CWE-276 (Incorrect Default Permissions), affects the system's permission handling for Bluetooth device authorization. It was published on 2025-01-21 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation leads to escalation of privilege, granting high-impact access to confidentiality, integrity, and availability without needing additional execution privileges.

The Android Security Bulletin for January 2025, available at https://source.android.com/security/bulletin/2025-01-01, details affected versions and provides patches for mitigation.

Details

CWE(s): CWE-276

Affected Products

google

android

12.0, 12.1, 13.0, 14.0

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com