Multiple vulnerabilities in Google Android



Risk Medium
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2024-43077
CVE-2024-43701
CVE-2024-20125
CVE-2024-33063
CVE-2024-33044
CVE-2024-33056
CVE-2024-43048
CVE-2024-43052
CVE-2024-43097
CVE-2024-43769
CVE-2024-43762
CVE-2024-43767
CVE-2024-43768
CVE-2024-43764
CWE-ID CWE-20
CWE-787
CWE-190
CWE-129
CWE-126
CWE-121
Exploitation vector Network
Public exploit N/A
Vulnerable software
Google Android
Operating systems & Components / Operating system

Vendor Google

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU101167

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43077

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU101168

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43701

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3
External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds write

EUVDB-ID: #VU101132

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20125

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within vdec. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3
External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Integer overflow

EUVDB-ID: #VU101154

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-33063

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3
External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Validation of Array Index

EUVDB-ID: #VU101147

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-33044

CWE-ID: CWE-129 - Improper Validation of Array Index

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Hypervisor. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3
External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer over-read

EUVDB-ID: #VU101148

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-33056

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in MProc. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3
External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Stack-based buffer overflow

EUVDB-ID: #VU101149

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43048

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Performance. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3
External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU101152

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43052

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Video Analytics and Processing. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: before 12L 2024-12-05, 12 2024-12-05, 13 2024-12-05, 14 2024-12-05, 15 2024-12-05

CPE2.3
External links

http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper input validation

EUVDB-ID: #VU101165

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43097

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

Google Android: before 12 2024-12-01, 12L 2024-12-01, 13 2024-12-01, 14 2024-12-01, 15 2024-12-01

CPE2.3
External links

http://android.googlesource.com/platform/external/skia/+/8d355fe1d0795fc30b84194b87563f75c6f8f2a7
http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper input validation

EUVDB-ID: #VU101163

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43769

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

Google Android: before 13 2024-12-01, 14 2024-12-01, 15 2024-12-01

CPE2.3
External links

http://android.googlesource.com/platform/frameworks/base/+/619ffc299bf33566ba6daee8301ee0fc96e015f4
http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU101161

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43762

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

Google Android: before 12 2024-12-01, 12L 2024-12-01, 13 2024-12-01, 14 2024-12-01, 15 2024-12-01

CPE2.3
External links

http://android.googlesource.com/platform/frameworks/base/+/ae43ac7f3d3d5112b0f54b5315a15b08208acf9c
http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper input validation

EUVDB-ID: #VU101164

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43767

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

Google Android: before 12 2024-12-01, 12L 2024-12-01, 13 2024-12-01, 14 2024-12-01, 15 2024-12-01

CPE2.3
External links

http://android.googlesource.com/platform/external/skia/+/796c2040f641bb287dba66c9823ce45e9f8b5807
http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper input validation

EUVDB-ID: #VU101166

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43768

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

Google Android: before 12 2024-12-01, 12L 2024-12-01, 13 2024-12-01, 14 2024-12-01, 15 2024-12-01

CPE2.3
External links

http://android.googlesource.com/platform/external/skia/+/b5543cb8c6b95623743016055220378efe73eb93
http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improper input validation

EUVDB-ID: #VU101162

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43764

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

Google Android: before 13 2024-12-01, 14 2024-12-01

CPE2.3
External links

http://android.googlesource.com/platform/frameworks/base/+/70eb75df7d342429c3ee225feb7c011df727442f
http://source.android.com/docs/security/bulletin/2024-12-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###