SB2024040144 - Multiple vulnerabilities in Google Android

Security Bulletin ID SB2024040144

Severity

High

Patch available

YES

Number of vulnerabilities 27

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 27 secuirty vulnerabilities.

1) Reachable Assertion (CVE-ID: CVE-2023-33095)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.

2) Buffer overflow (CVE-ID: CVE-2024-21463)

The vulnerability allows a remote attacker to read and manipulate data.

The vulnerability exists due to improper input validation in Audio. A remote attacker can read and manipulate data.

3) Buffer over-read (CVE-ID: CVE-2023-33115)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Trusted Execution Environment. A local application can execute arbitrary code.

4) Improper input validation (CVE-ID: CVE-2023-33104)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.

5) Improper input validation (CVE-ID: CVE-2023-33103)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.

6) Type conversion (CVE-ID: CVE-2023-33101)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.

7) Improper input validation (CVE-ID: CVE-2023-33100)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.

8) Improper input validation (CVE-ID: CVE-2023-33099)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.

9) Reachable Assertion (CVE-ID: CVE-2023-33096)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.

10) Missing release of memory after effective lifetime (CVE-ID: CVE-2023-33086)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Data Modem. A remote attacker can perform a denial of service (DoS) attack.

11) Out-of-bounds write (CVE-ID: CVE-2024-20039)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a missing bounds check within Modem Protocol. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

12) Missing release of memory after effective lifetime (CVE-ID: CVE-2023-33084)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Data Modem. A remote attacker can perform a denial of service (DoS) attack.

13) Buffer overflow (CVE-ID: CVE-2023-33023)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in SPS-Applications. A local application can execute arbitrary code.

14) Buffer overflow (CVE-ID: CVE-2023-28547)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in SPS Applications. A local application can execute arbitrary code.

15) Buffer overflow (CVE-ID: CVE-2023-28582)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in Data Modem. A remote attacker can execute arbitrary code.

16) Use After Free (CVE-ID: CVE-2024-21472)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Kernel. A local application can execute arbitrary code.

17) Use After Free (CVE-ID: CVE-2024-21468)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to failed unmap operation in GPU in Kernel. A local application can execute arbitrary code.

18) NULL Pointer Dereference (CVE-ID: CVE-2023-32890)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to improper input validation within Modem EMM. A local application can perform service disruption.

19) Improper input validation (CVE-ID: CVE-2024-20040)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within wlan firmware. A local application can execute arbitrary code.

20) Input validation error (CVE-ID: CVE-2024-0042)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in Widevine component. A local application can execute arbitrary code with elevated privileges.

21) Improper input validation (CVE-ID: CVE-2024-0026)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.

22) Improper input validation (CVE-ID: CVE-2024-23713)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

23) Improper input validation (CVE-ID: CVE-2024-0027)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.

24) Improper input validation (CVE-ID: CVE-2024-23704)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

25) Improper input validation (CVE-ID: CVE-2024-23712)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.

26) Improper input validation (CVE-ID: CVE-2024-23710)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

27) Information exposure (CVE-ID: CVE-2024-0022)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.

Remediation

Install update from vendor's website.

SB2024040144 - Multiple vulnerabilities in Google Android

Breakdown by Severity

Description

Remediation

References

Please verify you're human