CVE-2024-53834

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0078 73.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53834 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Android. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, prioritization, and correction of flaws like the incorrect bounds check in sms_DisplayHexDumpOfPrivacyBuffer enabling remote information disclosure.

SI-16 Memory Protection good match

prevent

Deploys memory protection mechanisms that mitigate out-of-bounds read vulnerabilities by enforcing strict memory access boundaries and preventing unauthorized data reads.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Monitors and responds to security advisories such as the Android Pixel December 2024 bulletin detailing patches for CVE-2024-53834.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Out-of-bounds read in SMS utility enables remote disclosure of sensitive local device data without auth or interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In sms_DisplayHexDumpOfPrivacyBuffer of sms_Utilities.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-53834 is a vulnerability in the sms_DisplayHexDumpOfPrivacyBuffer function of sms_Utilities.c, where an incorrect bounds check enables a possible out-of-bounds read. This issue affects Android devices, as documented in the Pixel security bulletin.

Remote attackers can exploit this vulnerability to disclose sensitive information without needing additional execution privileges or user interaction. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) highlights its severity, stemming from network-based access, low complexity, lack of prerequisites, and high confidentiality impact, with no integrity or availability disruption.

The Android Pixel security bulletin for December 2024, available at https://source.android.com/security/bulletin/pixel/2024-12-01, provides details on patches to mitigate this vulnerability.

Details

CWE(s): CWE-125

Affected Products

google

android

all versions

CVEs Like This One

CVE-2025-36911Same product: Google Android

CVE-2025-48530Same product: Google Android

CVE-2018-9464Same product: Google Android

CVE-2025-48636Same product: Google Android

CVE-2026-0035Same product: Google Android

CVE-2026-0106Same product: Google Android

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2025-36897Same product: Google Android

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com