CVE-2024-40677

High

Published: 28 January 2025

Published

28 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40677 is a high-severity Missing Authorization (CWE-862) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly mitigating the missing permission check that enables bypass of factory reset protections.

AC-6 Least Privilege good match

prevent

AC-6 enforces the principle of least privilege, preventing local escalation of privilege by ensuring only necessary accesses are permitted in functions like shouldSkipForInitialSUW.

SI-2 Flaw Remediation good match

prevent

SI-2 requires identification, reporting, and remediation of system flaws such as CVE-2024-40677, ensuring patches are applied to correct the missing permission check.

NVD Description

In shouldSkipForInitialSUW of AdvancedPowerUsageDetail.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

exploitation.

Deeper analysisAI

CVE-2024-40677 is a vulnerability in the `shouldSkipForInitialSUW` method of `AdvancedPowerUsageDetail.java` within the Android Settings application. It stems from a missing permission check (CWE-862), enabling attackers to bypass factory reset protections. This flaw allows local escalation of privilege without requiring additional execution privileges or user interaction, earning a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker with no prior privileges can exploit this vulnerability to escalate their access level by circumventing factory reset safeguards. The low attack complexity and lack of user interaction make it straightforward for anyone with physical or local access to the device to achieve high-impact confidentiality, integrity, and availability compromises.

The Android Security Bulletin for October 2024 details the issue and confirms patches are available, with the specific fix committed in the Android open-source project at the provided reference URL in `platform/packages/apps/Settings`. Security practitioners should ensure devices are updated to the patched versions to mitigate this risk.

Details

CWE(s): CWE-862

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2025-48574Same product: Google Android

CVE-2025-48578Same product: Google Android

CVE-2025-48634Same product: Google Android

CVE-2026-0026Same product: Google Android

CVE-2018-9382Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2025-36897Same product: Google Android

CVE-2026-0020Same product: Google Android

CVE-2026-0109Same product: Google Android

References

https://android.googlesource.com/platform/packages/apps/Settings/+/db26138f07db830e3fb78283d37de3c0296d93cb
Product · security@android.com
https://source.android.com/security/bulletin/2024-10-01
Vendor Advisory · security@android.com