CVE-2024-43768

High

Published: 03 January 2025

Published

03 January 2025

Modified

21 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43768 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, prioritization, and timely remediation of flaws like the integer overflow in Skia_alloc_func, eliminating the vulnerability to prevent local privilege escalation.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as address space layout randomization and data execution prevention that mitigate out-of-bounds writes from integer overflows, blocking exploitation for privilege escalation.

SI-10 Information Input Validation partial match

prevent

Requires validation of information inputs to graphics library functions like SkDeflate, addressing potential integer overflows triggered by malformed deflate data inputs.

NVD Description

In skia_alloc_func of SkDeflate.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-43768 is a vulnerability in the Skia graphics library, manifesting as an out-of-bounds write due to an integer overflow in the skia_alloc_func within SkDeflate.cpp. This issue affects the Android platform, specifically the external/skia component.

A local attacker with low privileges can exploit this vulnerability to achieve escalation of privilege, requiring no additional execution privileges or user interaction. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects its high impact potential on confidentiality, integrity, and availability for local users with straightforward exploitation conditions.

The Android Security Bulletin for December 2024 details the vulnerability and provides patches. A fix is implemented in commit b5543cb8c6b95623743016055220378efe73eb93 in the Android external Skia repository.

Details

CWE(s): CWE-787

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2026-0010Same product: Google Android

CVE-2026-0113Same product: Google Android

CVE-2024-49749Same product: Google Android

CVE-2024-53838Same product: Google Android

CVE-2026-0122Same product: Google Android

CVE-2024-49748Same product: Google Android

CVE-2025-36937Same product: Google Android

CVE-2026-0111Same product: Google Android

CVE-2026-0123Same product: Google Android

CVE-2026-0116Same product: Google Android

References

https://android.googlesource.com/platform/external/skia/+/b5543cb8c6b95623743016055220378efe73eb93
Product · security@android.com
https://source.android.com/security/bulletin/2024-12-01
Vendor Advisory · security@android.com