CVE-2024-40675

High

Published: 28 January 2025

Published

28 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0017 37.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

In parseUriInternal of Intent.java, there is a possible infinite loop due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-40675 is a vulnerability in the parseUriInternal function of Intent.java within the Android Open Source Project's frameworks/base component. It arises from improper input validation that can trigger an infinite loop, mapped to CWE-835 (Loop with Unreachable Exit Condition). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no effects on confidentiality or integrity.

The vulnerability enables exploitation by remote attackers requiring no privileges or user interaction, achievable over the network with low attack complexity. Successful exploitation leads to a local denial of service via the infinite loop, potentially disrupting system responsiveness without additional execution privileges.

The Android Security Bulletin for October 2024-01 addresses this vulnerability and advises applying updates to affected Android versions. Mitigation is provided through a patch in the Android source code at commit c6b5490ec659b5854fd429f453f75de5befa6359.

Details

CWE(s): CWE-835

Affected Products

google

android

12.0, 12.1, 13.0, 14.0

References

https://android.googlesource.com/platform/frameworks/base/+/c6b5490ec659b5854fd429f453f75de5befa6359
Product · security@android.com
https://source.android.com/security/bulletin/2024-10-01
Vendor Advisory · security@android.com