CVE-2024-0033 — Out-of-bounds Write in Frameworks Native

CWE-787 — Out-of-bounds Write CWE-122 — Heap-based Buffer Overflow CWE-20 — Improper Input Validation9 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 80.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Native Platform System Core Google Android

Timeline

PublishedFeb 16

Latest updateDec 27

Description

In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶Androidplatform/system_core14-next:0 — 14-next:2024-02-01+5

▶Androidplatform/frameworks_native14-next:0 — 14-next:2024-02-01+2

▶CVEListV5google/android5 versions+4

▶NVDgoogle/android5 versions+4

Patches

Patch: android.googlesource.com ↗Patch: android.googlesource.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

CVEList

CVE-2024-0033: In multiple functions of ashmem-dev↗2024-02-16

▶

GHSA

GHSA-7pg4-9277-v46w: In multiple functions of ashmem-dev↗2024-02-16

▶

OSV

CVE-2024-0033: In multiple functions of ashmem-dev↗2024-02-01

▶

📋Vendor Advisories

Red Hat

kernel: um: net: Do not use drvdata in release↗2024-12-27

▶

Red Hat

kernel: um: ubd: Do not use drvdata in release↗2024-12-27

▶

Red Hat

kernel: um: vector: Do not use drvdata in release↗2024-12-27

▶

Red Hat

kernel: x86/bugs: Use code segment selector for VERW operand↗2024-10-29

▶

Android

CVE-2024-0033: Android Security Bulletin 2024-02-01 CVE: CVE-2024-0033 Severity: HIGH Type: EoP Affected AOSP versions: 11, 12, 12L, 13, 14 References: A-294609150 [↗2024-02-01

▶