Cyber Resilience

CVE-2024-49748

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0560 90.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49748 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-49748 is a heap buffer overflow resulting in an out-of-bounds write in the function gatts_process_primary_service_req within gatt_sr.cc. The affected component is part of the Bluetooth GATT server implementation in Android, as referenced in the January 2025 Android security bulletin. The flaw carries a CVSS 3.1 score of 9.8 and is classified under CWE-787.

An unauthenticated remote attacker can trigger the vulnerability over the network without user interaction or additional privileges, resulting in remote code execution on the target device.

The Android security bulletin published on 2025-01-01 addresses the issue through platform updates. The associated EPSS score rose from lower values to a peak of 0.1024 on 2026-03-08 before receding to the current 0.0560, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

In gatts_process_primary_service_req of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Heap buffer overflow in Android Bluetooth GATT server enables unauthenticated remote code execution over Bluetooth, directly mapping to exploitation of remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43096Same product: Google Android
CVE-2026-0111Same product: Google Android
CVE-2024-53842Same product: Google Android
CVE-2026-0122Same product: Google Android
CVE-2026-0120Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2025-22411Same product: Google Android
CVE-2024-49749Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2024-53838Same product: Google Android

Affected Assets

google
android
12.0, 12.1, 13.0, 14.0, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the heap buffer overflow vulnerability by identifying, reporting, and applying vendor patches from the Android Security Bulletin.

prevent

Implements memory protection mechanisms like heap canaries and safe unlinking to block exploitation of the out-of-bounds write leading to remote code execution.

prevent

Requires validation of GATT primary service request inputs to enforce bounds checking and prevent the out-of-bounds write in gatts_process_primary_service_req.

References