CVE-2024-53841

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In startListeningForDeviceStateChanges, there is a possible Permission Bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-53841 is a permission bypass vulnerability stemming from a confused deputy issue in the startListeningForDeviceStateChanges function. It affects Google Pixel devices running Android, as documented in the December 2024 Pixel security bulletin. The flaw enables local escalation of privilege without requiring additional execution privileges or user interaction and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-276.

A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of need for user interaction (UI:N). Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, facilitating privilege escalation on the affected device.

The Android Pixel security bulletin at https://source.android.com/security/bulletin/pixel/2024-12-01 provides details on patches and mitigation for this vulnerability.

Details

CWE(s): CWE-276

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com