CVE-2024-40651

High

Published: 28 January 2025

Published

28 January 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

In TBD of TBD, there is a possible use-after-free due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-40651 is a use-after-free vulnerability (CWE-416) caused by a logic error in the code within TBD of TBD. This issue affects the kernel and could lead to local escalation of privilege, requiring no additional execution privileges or user interaction for exploitation. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability due to its low attack complexity and lack of privilege or user interaction requirements. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, resulting in kernel-level privilege escalation from an unprivileged user context.

The Android Security Bulletin provides details on mitigation, available at https://source.android.com/security/bulletin/2024-10-01.

Details

CWE(s): CWE-416

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/2024-10-01
Vendor Advisory · security@android.com