SB2024070167 - Multiple vulnerabilities in Google Android
Published: July 1, 2024 Updated: March 7, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 26 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2024-23368)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Qualcomm IPC. A local application can execute arbitrary code.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-21469)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in TZ Secure OS. A local application can execute arbitrary code.
3) Buffer over-read (CVE-ID: CVE-2024-21465)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Trusted Execution Environment. A local application can execute arbitrary code.
4) Buffer over-read (CVE-ID: CVE-2024-21462)
The vulnerability allows a local application to crash the entire system.
The vulnerability exists due to improper input validation in TZ Secure OS. A local application can crash the entire system.
5) Use of Insufficiently Random Values (CVE-ID: CVE-2024-21460)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation in Core. A local application can gain access to sensitive information.
6) Double Free (CVE-ID: CVE-2024-21461)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
7) Use After Free (CVE-ID: CVE-2024-23380)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.
8) Use After Free (CVE-ID: CVE-2024-23373)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.
9) Integer overflow (CVE-ID: CVE-2024-23372)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.
10) Memory corruption (CVE-ID: CVE-2024-20077)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to incorrect error handling within Modem. A local application can perform service disruption.
11) Improper locking (CVE-ID: CVE-2024-26923)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper locking within the unix_gc() function in net/unix/garbage.c due to garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. A local user can execute arbitrary code with elevated privileges.
12) Memory corruption (CVE-ID: CVE-2024-20076)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to incorrect error handling within Modem. A local application can perform service disruption.
13) Buffer overflow (CVE-ID: CVE-2024-34726)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the PowerVR-GPU component. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
14) Buffer overflow (CVE-ID: CVE-2024-34725)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the PowerVR-GPU component. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
15) Buffer overflow (CVE-ID: CVE-2024-34724)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the PowerVR-GPU component. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
16) Buffer overflow (CVE-ID: CVE-2024-31335)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the PowerVR-GPU component. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
17) Buffer overflow (CVE-ID: CVE-2024-31334)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the PowerVR-GPU component. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
18) Use-after-free (CVE-ID: CVE-2024-4610)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error caused by improper GPU memory processing operations. A local user can execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
19) Out-of-bounds read (CVE-ID: CVE-2024-0153)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
20) Information exposure (CVE-ID: CVE-2024-34721)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
21) Improper input validation (CVE-ID: CVE-2024-31331)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
22) Improper input validation (CVE-ID: CVE-2024-31339)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
23) Improper input validation (CVE-ID: CVE-2024-31332)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
24) Improper input validation (CVE-ID: CVE-2024-34723)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
25) Improper input validation (CVE-ID: CVE-2024-34720)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
26) Improper input validation (CVE-ID: CVE-2024-31320)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
Remediation
Install update from vendor's website.
References
- https://source.android.com/docs/security/bulletin/2024-07-01
- https://android.googlesource.com/platform/packages/providers/MediaProvider/+/7a1cbf5a8e17e6bff7c835fdd30dcc42b681db0a
- https://android.googlesource.com/platform/frameworks/base/+/c8694bbccfb9c19aefed536ea710230107c935eb
- https://android.googlesource.com/platform/packages/modules/StatsD/+/795a0da721992432cae20fc9be21bcbce318bf5a
- https://android.googlesource.com/platform/packages/apps/Settings/+/d1f9e61e4480116838c7a642b54c217506361266
- https://android.googlesource.com/platform/frameworks/base/+/c702bb71811993960debe0c18fcf8834cfa2454f
- https://android.googlesource.com/platform/frameworks/base/+/293e9ac230851acbec73f5ab12928d113d6283e1
- https://android.googlesource.com/platform/frameworks/base/+/9722ce9d733edab76163fbcd21b231424e3d7061
- https://android.googlesource.com/platform/frameworks/base/+/df49e0e3083b0707e2cca5a5956b49f14ded078e