Login Sign Up

CVE-2024-40662

7.8 HIGH

📋 TL;DR

This vulnerability in Android's Uri.java allows attackers to craft malformed Uri objects due to improper input validation, potentially leading to local privilege escalation without user interaction. It affects Android devices running vulnerable versions, allowing attackers to gain elevated privileges on compromised devices.

💻 Affected Systems

Products:
  • Android
Versions: Android versions prior to September 2024 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Android devices with vulnerable framework versions; exploitation requires local access to the device.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with attacker gaining system-level privileges, potentially installing persistent malware, accessing sensitive data, or bypassing security controls.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass application sandboxing, access other apps' data, or perform unauthorized system operations.

🟢

If Mitigated

Limited impact if devices are patched or have additional security controls like verified boot, SELinux enforcement, and app sandboxing properly configured.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access but no user interaction; complexity is medium due to need for specific Uri crafting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: September 2024 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2024-09-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install September 2024 or later Android security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Restrict app installations

android

Only install apps from trusted sources like Google Play Store to reduce attack surface

Enable Google Play Protect

android

Ensure Google Play Protect is enabled for additional security scanning

🧯 If You Can't Patch

  • Isolate vulnerable devices from sensitive networks and data
  • Implement application allowlisting to restrict which apps can run

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows September 2024 or later date

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Suspicious Uri parsing errors or crashes

Network Indicators:

  • Unusual outbound connections from system processes

SIEM Query:

source="android_system" AND (event_type="privilege_escalation" OR error="Uri parsing")

📊 Metadata

CVE ID: CVE-2024-40662
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: September 11, 2024
Last Updated: December 17, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40662, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)