Cyber Posture

CVE-2024-53842

Critical

Published: 03 January 2025

Published
03 January 2025
Modified
24 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0285 86.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53842 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs including bounds checks to prevent out-of-bounds writes like the missing check in cc_SendCcImsInfoIndMsg.

SI-16 Memory Protection good match
prevent

Implements memory protections such as non-executable memory and address randomization to mitigate remote code execution from out-of-bounds writes.

SI-2 Flaw Remediation good match
preventrecover

Mandates identification, reporting, and correction of flaws like this out-of-bounds write vulnerability through timely patching as provided in the Android bulletin.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Out-of-bounds write enables unauthenticated remote code execution over the network (AV:N, PR:N, UI:N), directly mapping to exploitation of remote/public-facing services or client software for initial execution on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In cc_SendCcImsInfoIndMsg of cc_MmConManagement.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-53842 is a vulnerability involving an out-of-bounds write due to a missing bounds check in the cc_SendCcImsInfoIndMsg function of cc_MmConManagement.c. This issue affects Android devices, as documented in the Pixel security bulletin.

The vulnerability enables remote code execution without requiring additional execution privileges or user interaction. Per the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), an attacker can exploit it over the network with low attack complexity and no privileges, achieving high impacts on confidentiality, integrity, and availability.

The Android Pixel security bulletin at https://source.android.com/security/bulletin/pixel/2024-12-01 provides details on patches to mitigate this vulnerability, associated with CWE-787.

Details

CWE(s)
CWE-787

Affected Products

google
android
all versions

CVEs Like This One

CVE-2026-0122Same product: Google Android
CVE-2024-49748Same product: Google Android
CVE-2025-36937Same product: Google Android
CVE-2026-0116Same product: Google Android
CVE-2026-0120Same product: Google Android
CVE-2025-36897Same product: Google Android
CVE-2026-0114Same product: Google Android
CVE-2026-0113Same product: Google Android
CVE-2024-49749Same product: Google Android
CVE-2026-0111Same product: Google Android

References