CVE-2024-40675
Published: 28 January 2025
Summary
CVE-2024-40675 is a high-severity Infinite Loop (CWE-835) vulnerability in Google Android. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-40675 is a vulnerability in the parseUriInternal function of Intent.java within the Android Open Source Project's frameworks/base component. It arises from improper input validation that can trigger an infinite loop, mapped to CWE-835 (Loop with Unreachable Exit Condition). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no effects on confidentiality or integrity.
The vulnerability enables exploitation by remote attackers requiring no privileges or user interaction, achievable over the network with low attack complexity. Successful exploitation leads to a local denial of service via the infinite loop, potentially disrupting system responsiveness without additional execution privileges.
The Android Security Bulletin for October 2024-01 addresses this vulnerability and advises applying updates to affected Android versions. Mitigation is provided through a patch in the Android source code at commit c6b5490ec659b5854fd429f453f75de5befa6359.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38750
Vulnerability details
In parseUriInternal of Intent.java, there is a possible infinite loop due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly enables application/system exploitation resulting in endpoint denial of service via infinite loop triggered by malformed input.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates validation of information inputs like URIs in Intent parsing to prevent infinite loops from improper input handling.
Requires timely identification, reporting, and patching of flaws such as the infinite loop vulnerability addressed by the Android security patch.
Provides protection against denial-of-service events, including those caused by resource-exhausting infinite loops from remote exploitation.