CVE-2024-53837

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 10.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In prepare_response of lwis_periodic_io.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-53837 involves an out-of-bounds write vulnerability stemming from an integer overflow in the prepare_response function within lwis_periodic_io.c. This flaw affects Google Pixel devices running Android, as identified in the official security bulletin.

A local attacker with low privileges (PR:L) can exploit the vulnerability with low attack complexity and no user interaction required. Successful exploitation enables local escalation of privilege, resulting in high impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The Android Security Bulletin for Pixel devices, dated 2024-12-01 and available at https://source.android.com/security/bulletin/pixel/2024-12-01, details patches mitigating this issue (CWE-787) for supported Pixel models. Security practitioners should ensure devices are updated to the latest firmware to address exposure.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com