SB2024030443 - Multiple vulnerabilities in Google Android
Published: March 4, 2024 Updated: July 3, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 37 secuirty vulnerabilities.
1) Use After Free (CVE-ID: CVE-2023-43546)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Multimedia. A local application can execute arbitrary code.
2) Stack-based buffer overflow (CVE-ID: CVE-2023-43549)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
3) Buffer overflow (CVE-ID: CVE-2023-43548)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Video. A remote attacker can read and manipulate data.
4) Buffer over-read (CVE-ID: CVE-2023-43539)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
5) Configuration (CVE-ID: CVE-2023-33105)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host and Firmware. A remote attacker can perform a denial of service (DoS) attack.
6) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-33066)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
7) Improper input validation (CVE-ID: CVE-2023-33042)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
8) Memory corruption (CVE-ID: CVE-2023-28578)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Services. A local application can execute arbitrary code.
9) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-43553)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HOST. A remote attacker can execute arbitrary code.
10) Use After Free (CVE-ID: CVE-2023-43552)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can execute arbitrary code.
11) Integer overflow (CVE-ID: CVE-2023-43550)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core Services. A local application can execute arbitrary code.
12) Use After Free (CVE-ID: CVE-2023-43547)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Multimedia. A local application can execute arbitrary code.
13) Out-of-bounds read (CVE-ID: CVE-2024-20026)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to improper input validation within da. A local privileged application can gain access to sensitive information.
14) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-48424)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper privilege management in Bootloader within the AMLogic component. A local application can execute arbitrary code with elevated privileges.
15) Out-of-bounds write (CVE-ID: CVE-2024-20020)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to an incorrect bounds check within OPTEE. A local privileged application can gain access to sensitive information.
16) Improper input validation (CVE-ID: CVE-2024-20028)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to lack of valudation within da. A local privileged application can execute arbitrary code.
17) Improper input validation (CVE-ID: CVE-2024-20027)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation within da. A local privileged application can execute arbitrary code.
18) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2024-20025)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to an integer overflow within da. A local privileged application can execute arbitrary code.
19) Out-of-bounds write (CVE-ID: CVE-2024-20024)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to lack of valudation within flashc. A local privileged application can execute arbitrary code.
20) Out-of-bounds write (CVE-ID: CVE-2024-20023)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to lack of valudation within flashc. A local privileged application can execute arbitrary code.
21) Improper Privilege Management (CVE-ID: CVE-2024-20022)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within lk. A local privileged application can execute arbitrary code.
22) Improper Access Control (CVE-ID: CVE-2024-20005)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing permission check within da. A local privileged application can execute arbitrary code.
23) Use-after-free (CVE-ID: CVE-2023-6241)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error. A local user can trigger a use-after-free error and execute arbitrary code on the system.
24) Use-after-free (CVE-ID: CVE-2023-6143)
The vulnerability allows a local user to escalate privileges on the system.
25) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-48425)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper privilege management in Bootloader within the AMLogic component. A local application can execute arbitrary code with elevated privileges.
26) Information exposure (CVE-ID: CVE-2024-0052)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
27) Improper input validation (CVE-ID: CVE-2024-0051)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
28) Improper input validation (CVE-ID: CVE-2024-0049)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
29) Improper input validation (CVE-ID: CVE-2024-0048)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
30) Improper input validation (CVE-ID: CVE-2024-0046)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
31) Information exposure (CVE-ID: CVE-2024-0045)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
32) Improper input validation (CVE-ID: CVE-2024-0050)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
33) Improper input validation (CVE-ID: CVE-2024-0039)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
34) Improper input validation (CVE-ID: CVE-2024-23717)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
35) Improper input validation (CVE-ID: CVE-2024-0047)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.
36) Information exposure (CVE-ID: CVE-2024-0053)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.
37) Information exposure (CVE-ID: CVE-2023-40081)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.
Remediation
Install update from vendor's website.
References
- https://source.android.com/docs/security/bulletin/2024-03-01
- https://android.googlesource.com/platform/packages/modules/HealthFitness/+/178f4824574fdf33ed4ac584d092240d1c771b04
- https://android.googlesource.com/platform/frameworks/av/+/a52c14a5b49f26efafa581dea653b4179d66909e
- https://android.googlesource.com/platform/frameworks/av/+/462689f06fd5e72ac63cd87b43ee52554ddf953e
- https://android.googlesource.com/platform/frameworks/base/+/2c236cde5505ee0e88cf1e3d073e2f1a53f0eede
- https://android.googlesource.com/platform/frameworks/base/+/d68cab5ac1aa294ec4d0419bc0803a5577e4e43c
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7d0f696f450241d8ba7a168ba14fa7b75032f0c9
- https://android.googlesource.com/platform/frameworks/av/+/8f3bc8be16480367bac36effa25706133a0dc22d
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/17044ccf3a2858633cad8f87926e752edfe0d8d8
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f0f35273101518d1f3a660b151804e90d0249af3
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/015c618a0461def93138173a53daaf27ca0630c9
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c5c528beb6e1cfed3ec93a3a264084df32ce83c2
- https://android.googlesource.com/platform/frameworks/base/+/3cd8a2c783fc736627b38f639fe4e239abcf6af1
- https://android.googlesource.com/platform/frameworks/base/+/bd5cc7f03256b328438b9bc3791c6b811a2f1f17
- https://android.googlesource.com/platform/frameworks/base/+/f516739398746fef7e0cf1437d9a40e2ad3c10bb
- https://android.googlesource.com/platform/frameworks/base/+/74b03835a7fac15e854d08159922418c99e27e77
- https://source.android.com/docs/security/bulletin/2024-03-01#2024-03-01-security-patch-level-vulnerability-details