CVE-2024-49745

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In growData of Parcel.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-49745 is a vulnerability in the growData function of Parcel.cpp, where an incorrect bounds check can lead to an out-of-bounds write (CWE-787). This issue affects the Android operating system, specifically components involved in parcel data handling, such as the Binder IPC mechanism.

The vulnerability enables local escalation of privilege with no additional execution privileges required beyond low-privilege user access (PR:L). Exploitation requires local access, low attack complexity (AC:L), and no user interaction (UI:N), potentially resulting in high impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 7.8; C:H/I:H/A:H).

The Android Security Bulletin published on 2025-01-01 at https://source.android.com/security/bulletin/2025-01-01 details affected versions and provides patches for mitigation. Security practitioners should apply these updates promptly to vulnerable Android devices.

Details

CWE(s): CWE-787

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com