CVE-2024-49742
Published: 21 January 2025
Summary
CVE-2024-49742 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly addressing the missing permission check in NotificationAccessConfirmationActivity that enables unauthorized hiding of notification access apps.
Restricts privileges to the minimum necessary, mitigating local privilege escalation from improper privilege management (CWE-269) by preventing apps from performing unauthorized actions like self-hiding in Settings.
Requires identification, reporting, and remediation of flaws like CVE-2024-49742, enabling timely patching as recommended in the Android Security Bulletin to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing permission check directly enables local privilege escalation (T1068) by allowing hidden notification access apps.
NVD Description
In onCreate of NotificationAccessConfirmationActivity.java , there is a possible way to hide an app with notification access in Settings due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User…
more
interaction is needed for exploitation.
Deeper analysisAI
CVE-2024-49742 is a vulnerability in the onCreate method of NotificationAccessConfirmationActivity.java within Android's Settings app, stemming from a missing permission check. This flaw allows an app with notification access to be hidden from the Settings interface, potentially enabling local escalation of privilege without requiring additional execution privileges. The issue was published on 2025-01-21 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-269 (Improper Privilege Management). User interaction is required for exploitation.
A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L). Successful exploitation enables hiding notification access apps, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) through privilege escalation on the affected Android device.
The Android Security Bulletin provides details on mitigation, available at https://source.android.com/security/bulletin/2025-01-01. Security practitioners should apply the recommended patches to address this issue in supported Android versions.
Details
- CWE(s)