CVE-2024-43767

High

Published: 03 January 2025

Published

03 January 2025

Modified

21 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0091 76.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

In prepare_to_draw_into_mask of SkBlurMaskFilterImpl.cpp, there is a possible heap overflow due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-43767 is a heap overflow vulnerability in the prepare_to_draw_into_mask function of SkBlurMaskFilterImpl.cpp within the Skia graphics library, as integrated in the Android platform's external Skia component. The flaw arises from improper input validation and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), mapped to CWE-94 (Code Injection).

A remote attacker with network access can exploit this vulnerability with low attack complexity and no required privileges. Although the description states that user interaction is not needed, the CVSS vector specifies UI:R. Successful exploitation could result in remote code execution, compromising confidentiality, integrity, and availability to a high degree without needing additional execution privileges.

The Android security bulletin for December 2024-01 addresses this issue, and a patch is available in Skia via the commit at https://android.googlesource.com/platform/external/skia/+/796c2040f641bb287dba66c9823ce45e9f8b5807. Security practitioners should apply these updates promptly to affected Android devices.

Details

CWE(s): CWE-94

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

References

https://android.googlesource.com/platform/external/skia/+/796c2040f641bb287dba66c9823ce45e9f8b5807
Product · security@android.com
https://source.android.com/security/bulletin/2024-12-01
Vendor Advisory · security@android.com