CVE-2024-43077

High

Published: 03 January 2025

Published

03 January 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In DevmemValidateFlags of devicemem_server.c , there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-43077 is a memory corruption vulnerability in the DevmemValidateFlags function of devicemem_server.c, resulting in a possible out-of-bounds write. This issue affects Android devices, as documented in the associated security bulletin.

A local attacker with low privileges (PR:L) can exploit this vulnerability without requiring user interaction or additional execution privileges. Successful exploitation enables local escalation of privilege, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The root cause is classified under CWE-787 (Out-of-bounds Write).

Mitigation details, including available patches, are provided in the Android security bulletin at https://source.android.com/security/bulletin/2024-12-01.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/2024-12-01
Vendor Advisory · security@android.com