Cyber Resilience

CVE-2024-40675

HighDDoS

Published: 28 January 2025

Published
28 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0017 37.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40675 is a high-severity Infinite Loop (CWE-835) vulnerability in Google Android. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-40675 is a vulnerability in the parseUriInternal function of Intent.java within the Android Open Source Project's frameworks/base component. It arises from improper input validation that can trigger an infinite loop, mapped to CWE-835 (Loop with Unreachable Exit Condition). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no effects on confidentiality or integrity.

The vulnerability enables exploitation by remote attackers requiring no privileges or user interaction, achievable over the network with low attack complexity. Successful exploitation leads to a local denial of service via the infinite loop, potentially disrupting system responsiveness without additional execution privileges.

The Android Security Bulletin for October 2024-01 addresses this vulnerability and advises applying updates to affected Android versions. Mitigation is provided through a patch in the Android source code at commit c6b5490ec659b5854fd429f453f75de5befa6359.

EU & UK References

Vulnerability details

In parseUriInternal of Intent.java, there is a possible infinite loop due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly enables application/system exploitation resulting in endpoint denial of service via infinite loop triggered by malformed input.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0109Same product: Google Android
CVE-2024-56192Same product: Google Android
CVE-2026-0122Same product: Google Android
CVE-2026-0045Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2025-0075Same product: Google Android
CVE-2026-0078Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-40651Same product: Google Android

Affected Assets

google
android
12.0, 12.1, 13.0, 14.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates validation of information inputs like URIs in Intent parsing to prevent infinite loops from improper input handling.

prevent

Requires timely identification, reporting, and patching of flaws such as the infinite loop vulnerability addressed by the Android security patch.

preventdetect

Provides protection against denial-of-service events, including those caused by resource-exhausting infinite loops from remote exploitation.

References