CVE-2024-43768

High

Published: 03 January 2025

Published

03 January 2025

Modified

21 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In skia_alloc_func of SkDeflate.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-43768 is a vulnerability in the Skia graphics library, manifesting as an out-of-bounds write due to an integer overflow in the skia_alloc_func within SkDeflate.cpp. This issue affects the Android platform, specifically the external/skia component.

A local attacker with low privileges can exploit this vulnerability to achieve escalation of privilege, requiring no additional execution privileges or user interaction. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects its high impact potential on confidentiality, integrity, and availability for local users with straightforward exploitation conditions.

The Android Security Bulletin for December 2024 details the vulnerability and provides patches. A fix is implemented in commit b5543cb8c6b95623743016055220378efe73eb93 in the Android external Skia repository.

Details

CWE(s): CWE-787

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

References

https://android.googlesource.com/platform/external/skia/+/b5543cb8c6b95623743016055220378efe73eb93
Product · security@android.com
https://source.android.com/security/bulletin/2024-12-01
Vendor Advisory · security@android.com