Out of Bounds Write Vulnerability in Android Skia Graphics Library
CVE-2024-43097

7.8HIGH

Key Information:

Vendor

Google
Status
Android
Vendor
CVE Published:
3 January 2025

What is CVE-2024-43097?

CVE-2024-43097 is an out-of-bounds write vulnerability found in the Android Skia graphics library, which is utilized for rendering graphics in Android applications. This vulnerability arises from an integer overflow in the resizeToAtLeast function within the SkRegion.cpp file, potentially allowing local privilege escalation without requiring additional execution privileges. Organizations using Android platforms that rely on the Skia library may face heightened security risks as this vulnerability can lead to unauthorized access and manipulation of system resources.

Technical Details

The vulnerability stems from a flaw in the Skia graphics library where an integer overflow can occur in the resizeToAtLeast function. This out-of-bounds write can introduce memory corruption issues, allowing an attacker to manipulate memory structures. It does not require user interaction to exploit, which makes it particularly dangerous. The nature of the vulnerability indicates that it could be utilized to escalate privileges locally on affected systems.

Potential Impact of CVE-2024-43097

  1. Local Privilege Escalation: Exploitation of this vulnerability can allow unauthorized users to gain elevated privileges on the system, providing them unrestricted access to sensitive data and system resources.

  2. Memory Corruption Risks: The out-of-bounds write could lead to memory corruption, resulting in application crashes or inconsistent application behavior, potentially affecting the user experience and system stability.

  3. Increased Attack Surface: With the potential for privilege escalation, this vulnerability could serve as a stepping stone for further attacks within the network or on connected systems, leading to more severe security incidents or data breaches.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Android 15

Android 14

Android 13

References

https://android.googlesource.com/platform/external/skia/+...
https://source.android.com/security/bulletin/2024-12-01

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.