Cyber Posture

CVE-2024-49748

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0560 90.4th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49748 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the heap buffer overflow vulnerability by identifying, reporting, and applying vendor patches from the Android Security Bulletin.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms like heap canaries and safe unlinking to block exploitation of the out-of-bounds write leading to remote code execution.

SI-10 Information Input Validation partial match
prevent

Requires validation of GATT primary service request inputs to enforce bounds checking and prevent the out-of-bounds write in gatts_process_primary_service_req.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Heap buffer overflow in Android Bluetooth GATT server enables unauthenticated remote code execution over Bluetooth, directly mapping to exploitation of remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In gatts_process_primary_service_req of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-49748 is a heap buffer overflow vulnerability stemming from an out-of-bounds write in the gatts_process_primary_service_req function within gatt_sr.cc, part of the Android Bluetooth GATT server component. This flaw affects Android devices with the vulnerable Bluetooth stack implementation. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-787 (Out-of-bounds Write). It was published on 2025-01-21.

A remote attacker can exploit this vulnerability over the network via Bluetooth without requiring authentication, privileges, or user interaction. Successful exploitation could result in remote code execution on the target device, potentially compromising confidentiality, integrity, and availability.

The Android Security Bulletin for 2025-01-01, available at https://source.android.com/security/bulletin/2025-01-01, details patches addressing this vulnerability in affected Android releases. Security practitioners should apply these updates promptly to mitigate the risk.

Details

CWE(s)
CWE-787

Affected Products

google
android
12.0, 12.1, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2026-0111Same product: Google Android
CVE-2024-53842Same product: Google Android
CVE-2026-0010Same product: Google Android
CVE-2026-0113Same product: Google Android
CVE-2024-49749Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2024-49747Same product: Google Android
CVE-2026-0122Same product: Google Android
CVE-2025-36937Same product: Google Android
CVE-2026-0123Same product: Google Android

References