CVE-2024-43762
Published: 03 January 2025
Summary
CVE-2024-43762 is a high-severity an unspecified weakness vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 49.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-43762 is a logic error present in multiple locations within the Android Open Source Project's platform/frameworks/base component. This flaw enables attackers to avoid unbinding a service from the system, resulting in local escalation of privilege without requiring additional execution privileges or user interaction. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE information not yet detailed by NVD.
A local attacker with low privileges (PR:L) can exploit this issue with low complexity (AC:L) and no need for user interaction (UI:N). Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), allowing privilege escalation on affected Android devices.
The Android Security Bulletin dated 2024-12-01 addresses CVE-2024-43762, recommending updates to patched Android versions for mitigation. A corresponding patch is available in the Android Open Source Project at commit ae43ac7f3d3d5112b0f54b5315a15b08208acf9c within platform/frameworks/base.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40409
Vulnerability details
In multiple locations, there is a possible way to avoid unbinding of a service from the system due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User…
more
interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local privilege escalation via service binding logic flaw directly matches Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Access Enforcement directly mitigates the logic error by requiring comprehensive enforcement of service binding and unbinding policies to prevent unauthorized privilege escalation.
Least Privilege restricts processes to minimal authorized access, countering local escalation from low-privilege attackers exploiting service unbinding flaws.
Flaw Remediation addresses the specific logic error through timely identification, reporting, and patching as provided in the Android Open Source Project commit.