CVE-2024-53833

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In prepare_response_locked of lwis_transaction.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-53833 is a vulnerability in the prepare_response_locked function of lwis_transaction.c that enables a possible out-of-bounds write due to improper input validation. It affects Google Pixel devices on Android, as documented in the December 2024 Pixel security bulletin.

The vulnerability allows local escalation of privilege with no additional execution privileges required and no user interaction needed. A local attacker with low privileges (PR:L) can exploit it under low attack complexity conditions (AC:L), potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 7.8 (CWE-787).

The Android Pixel security bulletin at https://source.android.com/security/bulletin/pixel/2024-12-01 provides details on patches for mitigation. Security practitioners should apply these updates to affected Pixel devices to address the issue.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com