CVE-2024-43097
Published: 03 January 2025
Summary
CVE-2024-43097 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 23.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-43097 is an out-of-bounds write vulnerability stemming from an integer overflow in the resizeToAtLeast function within SkRegion.cpp of the Skia graphics library. This issue affects the Android platform, where Skia is integrated as an external component. Assigned CWE-787, it carries a CVSS v3.1 base score of 7.8 (High), reflecting its local attack vector, low attack complexity, requirement for low privileges, lack of user interaction, and high impacts on confidentiality, integrity, and availability.
A local attacker with low privileges (PR:L) can exploit this vulnerability without additional execution privileges or user interaction. Successful exploitation enables escalation of privilege, potentially granting higher-level access on the affected Android device and compromising sensitive data or system integrity due to the out-of-bounds write.
Mitigation is addressed in the Android Security Bulletin for December 2024, which details patches for affected versions. The specific fix is implemented in Skia via commit 8d355fe1d0795fc30b84194b87563f75c6f8f2a7. Debian LTS users are also notified in the March 2025 announcement to apply corresponding updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40710
Vulnerability details
In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local out-of-bounds write in Skia enables direct privilege escalation on Android via memory corruption with low privileges and no user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching and remediation of the integer overflow vulnerability in Skia as specified in the Android Security Bulletin.
Provides comprehensive memory protections that mitigate out-of-bounds writes caused by the integer overflow in resizeToAtLeast.
Supports identification of the Skia vulnerability through vulnerability scanning and monitoring from sources like security bulletins.