CVE-2024-49748
Published: 21 January 2025
Summary
CVE-2024-49748 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-49748 is a heap buffer overflow resulting in an out-of-bounds write in the function gatts_process_primary_service_req within gatt_sr.cc. The affected component is part of the Bluetooth GATT server implementation in Android, as referenced in the January 2025 Android security bulletin. The flaw carries a CVSS 3.1 score of 9.8 and is classified under CWE-787.
An unauthenticated remote attacker can trigger the vulnerability over the network without user interaction or additional privileges, resulting in remote code execution on the target device.
The Android security bulletin published on 2025-01-01 addresses the issue through platform updates. The associated EPSS score rose from lower values to a peak of 0.1024 on 2026-03-08 before receding to the current 0.0560, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43600
Vulnerability details
In gatts_process_primary_service_req of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in Android Bluetooth GATT server enables unauthenticated remote code execution over Bluetooth, directly mapping to exploitation of remote services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the heap buffer overflow vulnerability by identifying, reporting, and applying vendor patches from the Android Security Bulletin.
Implements memory protection mechanisms like heap canaries and safe unlinking to block exploitation of the out-of-bounds write leading to remote code execution.
Requires validation of GATT primary service request inputs to enforce bounds checking and prevent the out-of-bounds write in gatts_process_primary_service_req.