CVE-2024-53842

Critical

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0285 86.3th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

In cc_SendCcImsInfoIndMsg of cc_MmConManagement.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-53842 is a vulnerability involving an out-of-bounds write due to a missing bounds check in the cc_SendCcImsInfoIndMsg function of cc_MmConManagement.c. This issue affects Android devices, as documented in the Pixel security bulletin.

The vulnerability enables remote code execution without requiring additional execution privileges or user interaction. Per the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), an attacker can exploit it over the network with low attack complexity and no privileges, achieving high impacts on confidentiality, integrity, and availability.

The Android Pixel security bulletin at https://source.android.com/security/bulletin/pixel/2024-12-01 provides details on patches to mitigate this vulnerability, associated with CWE-787.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com