CVE-2024-49744Incorrect Default Permissions in Frameworks Base

CWE-276Incorrect Default PermissionsCWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 99.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks BaseGoogle Android
Timeline
PublishedJan 21
Latest updateJan 22

Description

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

Androidplatform/frameworks_base15-next:015-next:2025-01-01+5
CVEListV5google/android5 versions+4
NVDgoogle/android5 versions+4

🔴Vulnerability Details

3
GHSA
GHSA-x22m-7748-229x: In checkKeyIntentParceledCorrectly of AccountManagerService2025-01-22
CVEList
CVE-2024-49744: In checkKeyIntentParceledCorrectly of AccountManagerService2025-01-21
OSV
CVE-2024-49744: In checkKeyIntentParceledCorrectly of AccountManagerService2025-01-01

📋Vendor Advisories

1
Android
CVE-2024-49744: Android Security Bulletin 2025-01-01 CVE: CVE-2024-49744 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L, 13, 14, 15 References: A-3608467722025-01-01
CVE-2024-49744 — Incorrect Default Permissions | cvebase