CVE-2024-40673 — Code Injection in Google Android

CWE-94 — Code Injection5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

1.7%

top 17.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android

Timeline

PublishedJan 28

Description

In Source of ZipFile.java, there is a possible way for an attacker to execute arbitrary code by manipulating Dynamic Code Loading due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5google/android4 versions+3

▶NVDgoogle/android4 versions+3

🔴Vulnerability Details

OSV

CVE-2024-40673: In Source of ZipFile↗2025-01-28

▶

CVEList

CVE-2024-40673: In Source of ZipFile↗2025-01-28

▶

GHSA

GHSA-wmwg-vmx2-qg37: In Source of ZipFile↗2025-01-28

▶

📋Vendor Advisories

Android

CVE-2024-40673: Android Security Bulletin 2024-10-01 CVE: CVE-2024-40673 Severity: HIGH Type: RCE Affected AOSP versions: 12, 12L, 13, 14 References: A-309938635↗2024-10-01

▶