CVE-2024-32905
Published: 13 June 2024
Summary
CVE-2024-32905 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-32905 is an out-of-bounds write vulnerability in the circ_read function of link_device_memory_legacy.c, caused by an incorrect bounds check. The flaw affects Android devices, specifically those covered in the Pixel security updates, and carries a CVSS score of 9.8 with a CWE-787 classification.
An unauthenticated remote attacker can trigger the issue over the network without user interaction or additional privileges, resulting in remote code execution on the target device.
The referenced Android security bulletin for Pixel devices dated 2024-06-01 addresses the vulnerability through corresponding patches and firmware updates.
The associated EPSS score has remained flat at 0.0809 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-30675
Vulnerability details
In circ_read of link_device_memory_legacy.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.