CVE-2024-0039

CRITICAL

Google Android - Out-of-Bounds Write

Title source: rule

Description

In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (1)

nomisec WORKING POC 12 stars

by 41yn14 · poc

https://github.com/41yn14/CVE-2024-0039-Exploit

View Code ZIP pw:eip

References (4)

[Patch] https://android.googlesource.com/platform/packages/modules/Bluetooth/+/015c618a0461def93138173a53daaf27ca0630c9

[Patch] https://android.googlesource.com/platform/packages/modules/Bluetooth/+/17044ccf3a2858633cad8f87926e752edfe0d8d8

[Patch] https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f0f35273101518d1f3a660b151804e90d0249af3

[Patch, Vendor Advisory] https://source.android.com/security/bulletin/2024-03-01

Scores

CVSS v3 9.8

EPSS 0.1964

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (4)

google/android 12.0

google/android 12.1

google/android 13.0

google/android 14.0

Published Mar 11, 2024

Tracked Since Feb 18, 2026