CVE-2024-40651

High

Published: 28 January 2025

Published

28 January 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40651 is a high-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation directly addresses the kernel use-after-free vulnerability by applying patches to prevent local privilege escalation.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms such as ASLR, DEP, and guard pages comprehensively mitigate use-after-free exploits by preventing unauthorized memory access and manipulation.

CM-6 Configuration Settings partial match

prevent

Secure kernel configuration settings enable runtime mitigations like SMEP, SMAP, and KASLR that reduce the exploitability of the use-after-free vulnerability.

NVD Description

In TBD of TBD, there is a possible use-after-free due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for…

exploitation.

Deeper analysisAI

CVE-2024-40651 is a use-after-free vulnerability (CWE-416) caused by a logic error in the code within TBD of TBD. This issue affects the kernel and could lead to local escalation of privilege, requiring no additional execution privileges or user interaction for exploitation. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability due to its low attack complexity and lack of privilege or user interaction requirements. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, resulting in kernel-level privilege escalation from an unprivileged user context.

The Android Security Bulletin provides details on mitigation, available at https://source.android.com/security/bulletin/2024-10-01.

Details

CWE(s): CWE-416

Affected Products

google

android

all versions

CVEs Like This One

CVE-2025-0084Same product: Google Android

CVE-2025-22403Same product: Google Android

CVE-2025-0074Same product: Google Android

CVE-2025-48543Same product: Google Android

CVE-2025-22409Same product: Google Android

CVE-2025-0075Same product: Google Android

CVE-2024-40669Same product: Google Android

CVE-2024-40670Same product: Google Android

CVE-2025-22404Same product: Google Android

CVE-2025-22410Same product: Google Android

References

https://source.android.com/security/bulletin/2024-10-01
Vendor Advisory · security@android.com