CVE-2024-43767
Published: 03 January 2025
Summary
CVE-2024-43767 is a high-severity Code Injection (CWE-94) vulnerability in Google Android. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 23.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-43767 is a heap overflow vulnerability in the prepare_to_draw_into_mask function of SkBlurMaskFilterImpl.cpp within the Skia graphics library, as integrated in the Android platform's external Skia component. The flaw arises from improper input validation and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), mapped to CWE-94 (Code Injection).
A remote attacker with network access can exploit this vulnerability with low attack complexity and no required privileges. Although the description states that user interaction is not needed, the CVSS vector specifies UI:R. Successful exploitation could result in remote code execution, compromising confidentiality, integrity, and availability to a high degree without needing additional execution privileges.
The Android security bulletin for December 2024-01 addresses this issue, and a patch is available in Skia via the commit at https://android.googlesource.com/platform/external/skia/+/796c2040f641bb287dba66c9823ce45e9f8b5807. Security practitioners should apply these updates promptly to affected Android devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40411
Vulnerability details
In prepare_to_draw_into_mask of SkBlurMaskFilterImpl.cpp, there is a possible heap overflow due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow in Skia graphics library enables remote code execution on Android client via crafted input (e.g., image data), directly mapping to exploitation for client execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs to the Skia graphics library's prepare_to_draw_into_mask function, preventing the heap overflow due to improper input validation.
Mandates timely flaw remediation, including applying the available Skia patch to eliminate the heap overflow vulnerability.
Implements memory protection mechanisms that mitigate exploitation of the heap overflow for remote code execution.