CVE-2024-49744

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Security Summary

CVE-2024-49744 is a vulnerability in the checkKeyIntentParceledCorrectly function of AccountManagerService.java within the Android framework. It stems from unsafe deserialization that allows bypassing parcel mismatch mitigation, potentially enabling local escalation of privilege without requiring additional execution privileges. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-276 (Incorrect Default Permissions).

A local attacker with low privileges (PR:L) can exploit this vulnerability through a crafted intent, leading to escalation of privileges on the device. Exploitation requires user interaction, as noted in the description, and has low attack complexity with local access. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, allowing the attacker to gain elevated access.

The Android Security Bulletin for January 2025 at https://source.android.com/security/bulletin/2025-01-01 provides details on affected versions and patches to mitigate this issue. Security practitioners should apply the recommended updates promptly to Android devices.

Details

CWE(s): CWE-276

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com