CVE-2024-47032

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47032 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match

prevent

Memory protection mechanisms such as heap canaries, ASLR, and non-executable memory directly mitigate exploitation of heap buffer overflows like this out-of-bounds write.

SI-2 Flaw Remediation good match

prevent

Flaw remediation ensures timely patching of the specific heap buffer overflow vulnerability as recommended in the Android Pixel security bulletin.

SI-10 Information Input Validation partial match

prevent

Information input validation addresses the root cause of CWE-120 by enforcing checks on command sizes in functions like construct_transaction_from_cmd.

NVD Description

In construct_transaction_from_cmd of lwis_ioctl.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-47032 is a heap buffer overflow vulnerability stemming from an out-of-bounds write in the construct_transaction_from_cmd function within lwis_ioctl.c. This flaw affects Android devices, particularly Google Pixel models as detailed in the associated security bulletin. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-120 (Buffer Copy without Checking Size of Input).

A local attacker with low-privilege access can exploit this vulnerability without requiring user interaction or additional execution privileges. Successful exploitation enables escalation of privileges, potentially granting full control over the affected device with high impacts on confidentiality, integrity, and availability.

The Android Pixel security bulletin from December 1, 2024 (https://source.android.com/security/bulletin/pixel/2024-12-01) addresses this issue, recommending users apply the provided patches to mitigate the risk.

Details

CWE(s): CWE-120

Affected Products

google

android

all versions

CVEs Like This One

CVE-2025-48611Same product: Google Android

CVE-2026-0110Same product: Google Android

CVE-2018-9387Same product: Google Android

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2025-36897Same product: Google Android

CVE-2026-0020Same product: Google Android

CVE-2026-0109Same product: Google Android

CVE-2026-0117Same product: Google Android

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com