CVE-2024-0040
Published: 16 February 2024
Summary
CVE-2024-0040 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-0040 is an out-of-bounds read caused by a heap buffer overflow in the setParameter function of MtpPacket.cpp within Android's frameworks/av media component. The flaw is tracked under CWE-787 and CWE-122 and carries a CVSS 3.1 base score of 7.5.
An unauthenticated attacker can trigger the issue over the network with no user interaction or additional privileges, resulting in disclosure of sensitive information from the affected process. The vulnerability affects devices running vulnerable builds of Android that process MTP packets.
The February 2024 Android security bulletin and the associated AOSP commit 2ca6c27dc0336fd98f47cfb96dc514efa98e8864 address the issue through patched code in the MtpPacket handling routines; devices should be updated to the versions listed in the bulletin. The EPSS score has remained flat at 0.1837 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-15843
Vulnerability details
In setParameter of MtpPacket.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.