CVE-2024-49735
Published: 21 January 2025
Description
In multiple locations, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-49735 is a vulnerability in Android that involves a failure to persist permissions settings due to resource exhaustion in multiple locations. This issue, classified under CWE-276 (Incorrect Default Permissions), enables local escalation of privilege without requiring additional execution privileges or user interaction. It received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 21, 2025.
A local attacker with low-privilege access can exploit this vulnerability due to its low attack complexity and lack of need for user interaction. Successful exploitation allows the attacker to gain elevated privileges, resulting in high confidentiality, integrity, and availability impacts on the affected system.
The Android Security Bulletin dated January 1, 2025, available at https://source.android.com/security/bulletin/2025-01-01, details patches and mitigation guidance for addressing this vulnerability.
Details
- CWE(s)