CVE-2024-49732

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In multiple functions of CompanionDeviceManagerService.java, there is a possible way to grant permissions without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-49732 is a vulnerability affecting multiple functions in CompanionDeviceManagerService.java within the Android operating system. It stems from a missing permission check that enables the granting of permissions without user consent, potentially leading to local escalation of privilege. No additional execution privileges are required beyond basic local access, and the issue is rated at a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), linked to CWE-276 (Incorrect Default Permissions). The vulnerability was published on 2025-01-21.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. Successful exploitation allows elevation to higher privileges, resulting in high impacts on confidentiality, integrity, and availability, such as unauthorized access to sensitive data or system resources.

The official Android security bulletin provides mitigation details, available at https://source.android.com/security/bulletin/2025-01-01, which includes patches for affected Android versions.

Details

CWE(s): CWE-276

Affected Products

google

android

15.0

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com