SB2024060508 - Multiple vulnerabilities in Google Android
Published: June 5, 2024 Updated: January 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 36 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2024-20066)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to an incorrect bounds check within Modem. A local application can perform service disruption.
2) Buffer over-read (CVE-ID: CVE-2024-23363)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
3) Buffer overflow (CVE-ID: CVE-2023-43542)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Trusted Execution Environment. A local application can execute arbitrary code.
4) Buffer overflow (CVE-ID: CVE-2023-43556)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Hypervisor. A local application can execute arbitrary code.
5) Improper Authentication (CVE-ID: CVE-2023-43551)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can read and manipulate data.
6) Buffer overflow (CVE-ID: CVE-2023-43538)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in TZ Secure OS. A local application can execute arbitrary code.
7) Out-of-bounds write (CVE-ID: CVE-2024-20068)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to improper input validation within Modem. A local application can perform service disruption.
8) Out-of-bounds write (CVE-ID: CVE-2024-20067)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to improper input invalidation within Modem. A local application can perform service disruption.
9) Selection of Less-Secure Algorithm During Negotiat (CVE-ID: CVE-2024-20069)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a missing DH downgrade check within Modem. A local application can gain access to sensitive information.
10) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2024-26926)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the binder_get_object() function in drivers/android/binder.c. A local user can influence the pointer offset and potentially execute arbitrary code.
11) Improper Access Control (CVE-ID: CVE-2024-20065)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a missing permission check within telephony. A local application can gain access to sensitive information.
12) Input validation error (CVE-ID: CVE-2024-23711)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to unspecified error within the PowerVR-GPU component. A local user can execute arbitrary code with elevated privileges.
13) Input validation error (CVE-ID: CVE-2024-23698)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to unspecified error within the PowerVR-GPU component. A local user can execute arbitrary code with elevated privileges.
14) Input validation error (CVE-ID: CVE-2024-23697)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to unspecified error within the PowerVR-GPU component. A local user can execute arbitrary code with elevated privileges.
15) Input validation error (CVE-ID: CVE-2024-23696)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to unspecified error within the PowerVR-GPU component. A local user can execute arbitrary code with elevated privileges.
16) Input validation error (CVE-ID: CVE-2024-23695)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to unspecified error within the PowerVR-GPU component. A local user can execute arbitrary code with elevated privileges.
17) Use-after-free (CVE-ID: CVE-2024-1065)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error. A local user can execute arbitrary code with elevated privileges.
18) Use-after-free (CVE-ID: CVE-2024-0671)
The vulnerability allows a local user to escalate privileges on the system.
19) Improper input validation (CVE-ID: CVE-2024-31327)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
20) Improper input validation (CVE-ID: CVE-2024-31311)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
21) Improper input validation (CVE-ID: CVE-2023-21114)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
22) Improper input validation (CVE-ID: CVE-2024-31323)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
23) Improper input validation (CVE-ID: CVE-2024-31314)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.
24) Information exposure (CVE-ID: CVE-2024-31312)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.
25) Improper input validation (CVE-ID: CVE-2024-31326)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
26) Improper input validation (CVE-ID: CVE-2024-31325)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
27) Improper input validation (CVE-ID: CVE-2024-31324)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
28) Improper input validation (CVE-ID: CVE-2024-31322)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
29) Improper input validation (CVE-ID: CVE-2024-31319)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
30) Improper input validation (CVE-ID: CVE-2024-31315)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
31) Improper input validation (CVE-ID: CVE-2023-21113)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
32) Improper input validation (CVE-ID: CVE-2024-31313)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
33) Improper input validation (CVE-ID: CVE-2024-31317)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
34) Improper input validation (CVE-ID: CVE-2024-31316)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
35) Improper input validation (CVE-ID: CVE-2024-31310)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
36) Improper input validation (CVE-ID: CVE-2024-31318)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
Remediation
Install update from vendor's website.
References
- https://source.android.com/docs/security/bulletin/2024-06-01
- https://android.googlesource.com/platform/system/libfmq/+/79bbf4aeef4b254c52da670a972e22956c8c659d
- https://android.googlesource.com/platform/packages/modules/StatsD/+/b6aab6c000ab85f4e4d8bb3941bcc33800550374
- https://android.googlesource.com/platform/packages/modules/Wifi/+/f88a2294f53cf382908cc48f992273742f817dd5
- https://android.googlesource.com/platform/packages/modules/Wifi/+/e6ca0c031758d8b1511f6a359bec316b6d2e22fe
- https://android.googlesource.com/platform/packages/modules/Wifi/+/f39ed052916716ef974102b3bad7ae102d0164a5
- https://android.googlesource.com/platform/packages/modules/HealthFitness/+/c4e13d15e8dd1df1bd827117d1a74c187ed2b3c2
- https://android.googlesource.com/platform/frameworks/base/+/c0d5f75e01308fb7d6d86639a0a6e2ff81b30be6
- https://android.googlesource.com/platform/frameworks/base/+/748055291460bcaafa3e53c7da1601a687959477
- https://android.googlesource.com/platform/frameworks/base/+/736462a777d0a0e1258bd7ab80d6e352ef797669
- https://android.googlesource.com/platform/frameworks/base/+/f1eb8e719dfbe15a38d40af0a73ead207eba9389
- https://android.googlesource.com/platform/frameworks/base/+/9fcd2070f22c0c6b30ecdc914cef83b5891d5f68
- https://android.googlesource.com/platform/frameworks/base/+/f16cc1135b414906164eb8fc55a76971b0e36c21
- https://android.googlesource.com/platform/frameworks/base/+/c1bc907a649addd5b97d489fd39afb956164a46c
- https://android.googlesource.com/platform/frameworks/base/+/3cc021bf608fa813a9a40932028fdde2b12a2d5e
- https://android.googlesource.com/platform/frameworks/base/+/a9ee2793068235ff423d08cc0964870c054d1983
- https://android.googlesource.com/platform/build/soong/+/e7b7f0833dc47ade981eddfbf462dcc143dddd10
- https://android.googlesource.com/platform/frameworks/base/+/17dd11248a66b2722aa3ef07701b7f09a64160e5
- https://android.googlesource.com/platform/prebuilts/module_sdk/Wifi/+/c705bae1a4d50bd7b4f8cc919097d1aae568dd22
- https://android.googlesource.com/platform/frameworks/base/+/e25a0e394bbfd6143a557e1019bb7ad992d11985
- https://android.googlesource.com/platform/frameworks/base/+/3457d82f8e265ad615b38f6a2aa3c33f1e100cb9
- https://android.googlesource.com/platform/frameworks/base/+/74afbb05ca08738f66d82df867bbee66de4884bc
- https://android.googlesource.com/platform/frameworks/base/+/b68b257d56a8600d53b4d2d06fb82aa44086a4a5