CVE-2024-34733

High

Published: 28 January 2025

Published

28 January 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

In DevmemXIntMapPages of devicemem_server.c, there is a possible arbitrary code execution due to an integer overflow. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-34733 is an integer overflow vulnerability in the DevmemXIntMapPages function of devicemem_server.c, enabling arbitrary code execution. This issue affects the Android kernel and was published on 2025-01-28T20:15:30.893, with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association to CWE-190 (Integer Overflow or Wraparound).

A local attacker requires no additional execution privileges and no user interaction to exploit this vulnerability with low attack complexity. Successful exploitation leads to local escalation of privilege within the kernel, granting high levels of confidentiality, integrity, and availability impact.

The Android Security Bulletin at https://source.android.com/security/bulletin/2024-10-01 provides details on affected versions and available patches for mitigation.

Details

CWE(s): CWE-190

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/2024-10-01
Vendor Advisory · security@android.com