CVE-2024-43762

High

Published: 03 January 2025

Published

03 January 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In multiple locations, there is a possible way to avoid unbinding of a service from the system due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-43762 is a logic error present in multiple locations within the Android Open Source Project's platform/frameworks/base component. This flaw enables attackers to avoid unbinding a service from the system, resulting in local escalation of privilege without requiring additional execution privileges or user interaction. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE information not yet detailed by NVD.

A local attacker with low privileges (PR:L) can exploit this issue with low complexity (AC:L) and no need for user interaction (UI:N). Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), allowing privilege escalation on affected Android devices.

The Android Security Bulletin dated 2024-12-01 addresses CVE-2024-43762, recommending updates to patched Android versions for mitigation. A corresponding patch is available in the Android Open Source Project at commit ae43ac7f3d3d5112b0f54b5315a15b08208acf9c within platform/frameworks/base.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

References

https://android.googlesource.com/platform/frameworks/base/+/ae43ac7f3d3d5112b0f54b5315a15b08208acf9c
Patch · security@android.com
https://source.android.com/security/bulletin/2024-12-01
Vendor Advisory · security@android.com