CVE-2024-53834

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0078 73.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

In sms_DisplayHexDumpOfPrivacyBuffer of sms_Utilities.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-53834 is a vulnerability in the sms_DisplayHexDumpOfPrivacyBuffer function of sms_Utilities.c, where an incorrect bounds check enables a possible out-of-bounds read. This issue affects Android devices, as documented in the Pixel security bulletin.

Remote attackers can exploit this vulnerability to disclose sensitive information without needing additional execution privileges or user interaction. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) highlights its severity, stemming from network-based access, low complexity, lack of prerequisites, and high confidentiality impact, with no integrity or availability disruption.

The Android Pixel security bulletin for December 2024, available at https://source.android.com/security/bulletin/pixel/2024-12-01, provides details on patches to mitigate this vulnerability.

Details

CWE(s): CWE-125

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com