CVE-2024-40664 – This vulnerability in Android's accessibility s... (How to Fix)

Q: What is the severity of CVE-2024-40664?

CVE-2024-40664 has a CVSS score of 6.2 (MEDIUM). This vulnerability in Android's accessibility services allows an attacker to hide enabled accessibility services through a logic error in AccessibilityFragment.java. This leads to local denial of service without requiring additional privileges or user interaction. It affects Android Wear devices and potentially other Android systems with accessibility services enabled.

📋 TL;DR

This vulnerability in Android's accessibility services allows an attacker to hide enabled accessibility services through a logic error in AccessibilityFragment.java. This leads to local denial of service without requiring additional privileges or user interaction. It affects Android Wear devices and potentially other Android systems with accessibility services enabled.

💻 Affected Systems

Products:

Android Wear devices
Android devices with accessibility services

Versions: Android versions prior to the May 2025 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with accessibility services enabled. The vulnerability is in the Android framework code.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical accessibility services for users with disabilities could be disabled, preventing device usage and potentially locking users out of their devices.

🟠

Likely Case

Temporary disruption of accessibility features like screen readers or voice control, requiring device restart to restore functionality.

🟢

If Mitigated

Minimal impact if accessibility services are not critical for daily use or if users can quickly restart their devices.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring physical or app-based access to the device.

🏢 Internal Only: MEDIUM - Could be exploited by malicious apps or users with physical access to disrupt accessibility features.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires app installation or physical access. No user interaction needed once exploit is triggered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level May 2025 or later

Vendor Advisory: https://source.android.com/security/bulletin/wear/2025-05-01

Restart Required: No

Instructions:

1. Check for system updates in Settings > System > System update. 2. Apply the May 2025 security patch or later. 3. No device restart should be required after patch installation.

🔧 Temporary Workarounds

Disable Accessibility Services

Android

Temporarily disable accessibility services to prevent exploitation

Settings > Accessibility > Installed services > Toggle off all services

🧯 If You Can't Patch

Restrict app installation to trusted sources only via Settings > Security > Unknown sources
Monitor for unusual accessibility service behavior and restart device if services become unavailable

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level. If before May 2025, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows May 2025 or later. Test accessibility services to ensure they remain visible and functional.

📡 Detection & Monitoring

Log Indicators:

Accessibility service unexpectedly disabled or hidden events in system logs
AccessibilityManagerService errors related to service visibility

Network Indicators:

None - this is a local vulnerability

SIEM Query:

source="android_system" AND ("AccessibilityService" OR "accessibility") AND ("disabled" OR "hidden" OR "error")

📊 Metadata

CVE ID: CVE-2024-40664

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.09% exploit probability (26.5th percentile)

Published: September 4, 2025

Last Updated: September 8, 2025

🔗 References

https://source.android.com/security/bulletin/wear/2025-05-01 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40664, you might also want to check these: