CVE-2024-43767

HighRCE

Published: 03 January 2025

Published

03 January 2025

Modified

21 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0091 76.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43767 is a high-severity Code Injection (CWE-94) vulnerability in Google Android. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of inputs to the Skia graphics library's prepare_to_draw_into_mask function, preventing the heap overflow due to improper input validation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, including applying the available Skia patch to eliminate the heap overflow vulnerability.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms that mitigate exploitation of the heap overflow for remote code execution.

NVD Description

In prepare_to_draw_into_mask of SkBlurMaskFilterImpl.cpp, there is a possible heap overflow due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-43767 is a heap overflow vulnerability in the prepare_to_draw_into_mask function of SkBlurMaskFilterImpl.cpp within the Skia graphics library, as integrated in the Android platform's external Skia component. The flaw arises from improper input validation and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), mapped to CWE-94 (Code Injection).

A remote attacker with network access can exploit this vulnerability with low attack complexity and no required privileges. Although the description states that user interaction is not needed, the CVSS vector specifies UI:R. Successful exploitation could result in remote code execution, compromising confidentiality, integrity, and availability to a high degree without needing additional execution privileges.

The Android security bulletin for December 2024-01 addresses this issue, and a patch is available in Skia via the commit at https://android.googlesource.com/platform/external/skia/+/796c2040f641bb287dba66c9823ce45e9f8b5807. Security practitioners should apply these updates promptly to affected Android devices.

Details

CWE(s): CWE-94

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2024-43770Same product: Google Android

CVE-2024-49747Same product: Google Android

CVE-2024-43771Same product: Google Android

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2025-36897Same product: Google Android

CVE-2026-0020Same product: Google Android

CVE-2026-0109Same product: Google Android

CVE-2026-0117Same product: Google Android

References

https://android.googlesource.com/platform/external/skia/+/796c2040f641bb287dba66c9823ce45e9f8b5807
Product · security@android.com
https://source.android.com/security/bulletin/2024-12-01
Vendor Advisory · security@android.com