CVE-2024-43097
Published: 03 January 2025
Description
In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-43097 is an out-of-bounds write vulnerability stemming from an integer overflow in the resizeToAtLeast function within SkRegion.cpp of the Skia graphics library. This issue affects the Android platform, where Skia is integrated as an external component. Assigned CWE-787, it carries a CVSS v3.1 base score of 7.8 (High), reflecting its local attack vector, low attack complexity, requirement for low privileges, lack of user interaction, and high impacts on confidentiality, integrity, and availability.
A local attacker with low privileges (PR:L) can exploit this vulnerability without additional execution privileges or user interaction. Successful exploitation enables escalation of privilege, potentially granting higher-level access on the affected Android device and compromising sensitive data or system integrity due to the out-of-bounds write.
Mitigation is addressed in the Android Security Bulletin for December 2024, which details patches for affected versions. The specific fix is implemented in Skia via commit 8d355fe1d0795fc30b84194b87563f75c6f8f2a7. Debian LTS users are also notified in the March 2025 announcement to apply corresponding updates.
Details
- CWE(s)