CVE-2024-49749
Published: 21 January 2025
Description
In DGifSlurp of dgif_lib.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-49749 is an out-of-bounds write vulnerability stemming from an integer overflow in the DGifSlurp function within dgif_lib.c, a component of the GIF image processing library. This flaw affects Android systems, as detailed in the January 2025 Android security bulletin. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-787 (Out-of-bounds Write), potentially enabling remote code execution without requiring additional execution privileges.
A remote attacker could exploit this vulnerability by supplying a specially crafted GIF file, leading to remote code execution upon processing. Exploitation requires no privileges (PR:N) and low complexity (AC:L) over the network (AV:N), though the CVSS vector indicates user interaction is required (UI:R). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope.
The Android security bulletin at https://source.android.com/security/bulletin/2025-01-01 provides details on patches for affected Android versions, recommending users apply the January 2025 security update to mitigate the vulnerability.
Details
- CWE(s)