Arbitrary Code Execution Vulnerability in Device Memory Server by Android
CVE-2024-34733

8.4HIGH

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 28 January 2025

Summary

A significant vulnerability exists within the Device Memory Server in Android that allows for arbitrary code execution due to an integer overflow in the DevmemXIntMapPages function. This vulnerability may facilitate local privilege escalation within the kernel without requiring elevated execution privileges or user interaction. Consequently, it poses a substantial risk to device security, emphasizing the importance of addressing this issue swiftly.

Affected Version(s)

Android Android SoC

References

https://source.android.com/security/bulletin/2024-10-01

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
May 7, 2024