CVE-2024-40660

Published: Nov 13, 2024Modified: Dec 17, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In setTransactionState of SurfaceFlinger.cpp, there is a possible way to change protected display attributes due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected (2)

Products: Google: Android

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 14.0
Google Android	Version 15.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (3)

https://android.googlesource.com/platform/frameworks/native/+/064ce6e3235b6318be1e41f1bac9595a98e4aafa

Source: security@android.com

Mailing ListPatch

https://android.googlesource.com/platform/frameworks/native/+/b6ddf525be3c2abbde59ae1533494b18a7961087

Source: security@android.com

Mailing ListPatch

https://source.android.com/security/bulletin/2024-11-01

Source: security@android.com

PatchVendor Advisory

Timeline

No history available yet.