CVE-2024-47032
Published: 03 January 2025
Description
In construct_transaction_from_cmd of lwis_ioctl.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-47032 is a heap buffer overflow vulnerability stemming from an out-of-bounds write in the construct_transaction_from_cmd function within lwis_ioctl.c. This flaw affects Android devices, particularly Google Pixel models as detailed in the associated security bulletin. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-120 (Buffer Copy without Checking Size of Input).
A local attacker with low-privilege access can exploit this vulnerability without requiring user interaction or additional execution privileges. Successful exploitation enables escalation of privileges, potentially granting full control over the affected device with high impacts on confidentiality, integrity, and availability.
The Android Pixel security bulletin from December 1, 2024 (https://source.android.com/security/bulletin/pixel/2024-12-01) addresses this issue, recommending users apply the provided patches to mitigate the risk.
Details
- CWE(s)