Login Sign Up

CVE-2024-40661

7.8 HIGH

📋 TL;DR

This vulnerability allows local attackers to access the microphone without proper permission checks, enabling potential audio surveillance. It affects Android devices with vulnerable permission management components, requiring no user interaction for exploitation.

💻 Affected Systems

Products:
  • Android
Versions: Android versions prior to November 2024 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with the vulnerable Permission module; exploitation requires local access to the device.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of microphone access leading to unauthorized audio recording, privacy violations, and potential credential theft via voice capture.

🟠

Likely Case

Local privilege escalation allowing malicious apps to bypass microphone permission controls and record audio without user consent.

🟢

If Mitigated

Limited impact with proper app sandboxing and security updates preventing unauthorized permission escalation.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but no user interaction; complexity is low due to missing permission check.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: November 2024 Android Security Patch

Vendor Advisory: https://source.android.com/security/bulletin/2024-11-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Apply the November 2024 security patch. 3. Restart device after installation.

🔧 Temporary Workarounds

Disable microphone permissions for untrusted apps

android

Manually revoke microphone access for applications that don't require it for functionality.

🧯 If You Can't Patch

  • Restrict installation of untrusted applications from unknown sources
  • Use device management policies to control app permissions

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If patch level is earlier than November 2024, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Confirm security patch level shows 'November 5, 2024' or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected microphone access attempts by apps without proper permissions
  • Permission escalation events in system logs

Network Indicators:

  • Unusual audio data transmission from device

SIEM Query:

source="android_system" AND (event="permission_grant" OR event="microphone_access") AND app_permission="missing"

📊 Metadata

CVE ID: CVE-2024-40661
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: November 13, 2024
Last Updated: December 17, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40661, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)