Cyber Resilience

CVE-2024-53834

High

Published: 03 January 2025

Published
03 January 2025
Modified
24 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0078 74.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53834 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Android. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-53834 is a vulnerability in the sms_DisplayHexDumpOfPrivacyBuffer function of sms_Utilities.c, where an incorrect bounds check enables a possible out-of-bounds read. This issue affects Android devices, as documented in the Pixel security bulletin.

Remote attackers can exploit this vulnerability to disclose sensitive information without needing additional execution privileges or user interaction. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) highlights its severity, stemming from network-based access, low complexity, lack of prerequisites, and high confidentiality impact, with no integrity or availability disruption.

The Android Pixel security bulletin for December 2024, available at https://source.android.com/security/bulletin/pixel/2024-12-01, provides details on patches to mitigate this vulnerability.

EU & UK References

Vulnerability details

In sms_DisplayHexDumpOfPrivacyBuffer of sms_Utilities.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Out-of-bounds read in SMS utility enables remote disclosure of sensitive local device data without auth or interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-36911Same product: Google Android
CVE-2018-9464Same product: Google Android
CVE-2026-0076Same product: Google Android
CVE-2025-48530Same product: Google Android
CVE-2025-48636Same product: Google Android
CVE-2026-0035Same product: Google Android
CVE-2026-0106Same product: Google Android
CVE-2024-56192Same product: Google Android
CVE-2026-0122Same product: Google Android
CVE-2026-0045Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely identification, reporting, prioritization, and correction of flaws like the incorrect bounds check in sms_DisplayHexDumpOfPrivacyBuffer enabling remote information disclosure.

prevent

Deploys memory protection mechanisms that mitigate out-of-bounds read vulnerabilities by enforcing strict memory access boundaries and preventing unauthorized data reads.

prevent

Monitors and responds to security advisories such as the Android Pixel December 2024 bulletin detailing patches for CVE-2024-53834.

References