CVE-2024-53838

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In Exynos_parsing_user_data_registered_itu_t_t35 of VendorVideoAPI.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-53838 involves an out-of-bounds write vulnerability stemming from an incorrect bounds check in the Exynos_parsing_user_data_registered_itu_t_t35 function of VendorVideoAPI.cpp. This flaw affects Android devices, as detailed in the Pixel security bulletin, and is classified under CWE-787 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges, such as a standard user or app, can exploit this vulnerability to escalate privileges without needing additional execution privileges or user interaction. The low attack complexity enables arbitrary code execution or system compromise, leading to high impacts on confidentiality, integrity, and availability.

The Android Pixel security bulletin dated 2024-12-01, available at https://source.android.com/security/bulletin/pixel/2024-12-01, documents patches addressing this CVE for affected devices. Security practitioners should apply these updates promptly to mitigate the risk.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com