CVE-2024-34730

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34730 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-18 Wireless Access good match

prevent

Requires authorization prior to allowing wireless access connections, directly mitigating the bypass of user consent for new Bluetooth HIDs.

IA-3 Device Identification and Authentication good match

prevent

Mandates identification and authentication of devices before establishing connections, preventing unauthorized Bluetooth HID pairing and subsequent privilege escalation.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to resources, addressing the logic error in Bluetooth permission handling that enables local privilege escalation.

NVD Description

In multiple locations, there is a possible bypass of user consent to enabling new Bluetooth HIDs due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…

is not needed for exploitation.

Deeper analysisAI

CVE-2024-34730 is a logic error vulnerability present in multiple locations within Android's Bluetooth stack, enabling a bypass of user consent when pairing new Bluetooth Human Interface Devices (HIDs). This flaw, tagged under CWE-276 (Incorrect Default Permissions), affects the system's permission handling for Bluetooth device authorization. It was published on 2025-01-21 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation leads to escalation of privilege, granting high-impact access to confidentiality, integrity, and availability without needing additional execution privileges.

The Android Security Bulletin for January 2025, available at https://source.android.com/security/bulletin/2025-01-01, details affected versions and provides patches for mitigation.

Details

CWE(s): CWE-276

Affected Products

google

android

12.0, 12.1, 13.0, 14.0

CVEs Like This One

CVE-2024-43769Same product: Google Android

CVE-2024-49744Same product: Google Android

CVE-2024-49735Same product: Google Android

CVE-2024-43765Same product: Google Android

CVE-2024-53835Same product: Google Android

CVE-2024-49732Same product: Google Android

CVE-2024-49737Same product: Google Android

CVE-2024-53841Same product: Google Android

CVE-2024-53840Same product: Google Android

CVE-2018-9401Same product: Google Android

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com