CVE-2024-40659Classic Buffer Overflow in Frameworks Base

CWE-120Classic Buffer Overflow5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 89.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Platform Frameworks BasePlatform Packages Modules PermissionPlatform Packages Modules Remotekeyprovisioning+1 more
Timeline
PublishedSep 11

Description

In getRegistration of RemoteProvisioningService.java, there is a possible way to permanently disable the AndroidKeyStore key generation feature by updating the attestation keys of all installed apps due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

Androidplatform/frameworks_base15-next:015-next:2024-09-01
Androidplatform/packages_modules_permission15-next:015-next:2024-09-01
Androidplatform/packages_modules_remotekeyprovisioning15-next:015-next:2024-09-01+1
CVEListV5google/android14
NVDgoogle/android14.0

Patches

Patch: android.googlesource.comPatch: source.android.com

🔴Vulnerability Details

3
GHSA
GHSA-g3p7-6jrm-6c7q: In getRegistration of RemoteProvisioningService2024-09-11
CVEList
CVE-2024-40659: In getRegistration of RemoteProvisioningService2024-09-11
OSV
CVE-2024-40659: In getRegistration of RemoteProvisioningService2024-09-01

📋Vendor Advisories

1
Android
CVE-2024-40659: Android Security Bulletin 2024-09-01 CVE: CVE-2024-40659 Severity: HIGH Type: DoS Affected AOSP versions: 14 References: A-3369761052024-09-01
CVE-2024-40659 — Classic Buffer Overflow | cvebase