SB2024100802 - Multiple vulnerabilities in Google Android

Security Bulletin ID SB2024100802

Severity

High

Patch available

YES

Number of vulnerabilities 26

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 26 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2024-20092)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within vdec. A local privileged application can execute arbitrary code.

2) Memory corruption (CVE-ID: CVE-2024-23369)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.

3) Use After Free (CVE-ID: CVE-2024-38399)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.

4) Use After Free (CVE-ID: CVE-2024-33069)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Host. A remote attacker can perform a denial of service (DoS) attack.

5) Buffer over-read (CVE-ID: CVE-2024-33049)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can perform a denial of service (DoS) attack.

6) Improper input validation (CVE-ID: CVE-2024-20094)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to a missing bounds check within Modem. A local application can perform service disruption.

7) Out-of-bounds read (CVE-ID: CVE-2024-20093)

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within vdec. A local privileged application can gain access to sensitive information.

8) Out-of-bounds read (CVE-ID: CVE-2024-20091)

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within vdec. A local privileged application can gain access to sensitive information.

9) Out-of-bounds write (CVE-ID: CVE-2024-20090)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within vdec. A local privileged application can execute arbitrary code.

10) Buffer overflow (CVE-ID: CVE-2024-34732)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

11) Out-of-bounds write (CVE-ID: CVE-2024-20103)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within wlan. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

12) Out-of-bounds write (CVE-ID: CVE-2024-20101)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within wlan. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

13) Out-of-bounds write (CVE-ID: CVE-2024-20100)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within wlan. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

14) Buffer overflow (CVE-ID: CVE-2024-40670)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

15) Buffer overflow (CVE-ID: CVE-2024-40669)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

16) Buffer overflow (CVE-ID: CVE-2024-40651)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

17) Buffer overflow (CVE-ID: CVE-2024-40649)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

18) Buffer overflow (CVE-ID: CVE-2024-34748)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

19) Buffer overflow (CVE-ID: CVE-2024-34733)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

20) Improper input validation (CVE-ID: CVE-2024-40676)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

21) Improper input validation (CVE-ID: CVE-2024-40675)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.

22) Improper input validation (CVE-ID: CVE-2024-40677)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

23) Improper input validation (CVE-ID: CVE-2024-40673)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the System ART component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

24) Improper input validation (CVE-ID: CVE-2024-40674)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the System WiFi component. A local application can perform a denial of service (DoS) attack.

25) Improper input validation (CVE-ID: CVE-2024-40672)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

26) Improper input validation (CVE-ID: CVE-2024-0044)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Remediation

Install update from vendor's website.

SB2024100802 - Multiple vulnerabilities in Google Android

Breakdown by Severity

Description

Remediation

References

Please verify you're human