CVE-2024-0039: In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code...

9.8 CVSS

Description

In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Classification

CVE ID: CVE-2024-0039

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

Problem Types

Remote code execution

Affected Products

Vendor: Google

Product: Android

Exploit Prediction Scoring System (EPSS)

EPSS Score: 20.65% (probability of being exploited)

EPSS Percentile: 95.12% (scored less or equal to compared to others)

EPSS Date: 2025-04-11 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0039
https://android.googlesource.com/platform/packages/modules/Bluetooth/+/17044ccf3a2858633cad8f87926e752edfe0d8d8
https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f0f35273101518d1f3a660b151804e90d0249af3
https://android.googlesource.com/platform/packages/modules/Bluetooth/+/015c618a0461def93138173a53daaf27ca0630c9
https://source.android.com/security/bulletin/2024-03-01

Timeline

2025-03-13 19:40:18 UTC
CVE

In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code...