CVE-2024-20011 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Android

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

6.1%

top 9.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android

Timeline

PublishedFeb 5

Latest updateApr 3

Description

In alac decoder, there is a possible information disclosure due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08441146; Issue ID: ALPS08441146.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDgoogle/android11.0, 12.0, 13.0+2

▶googlegoogle/android

🔴Vulnerability Details

GHSA

GHSA-5mh8-m4xv-8wfr: In alac decoder, there is a possible information disclosure due to an incorrect bounds check↗2024-02-05

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure↗2025-04-03

▶

📋Vendor Advisories

Android

CVE-2024-20011: alac decoder↗2024-02-01

▶