CVE-2024-5436 – A type confusion vulnerability in Snapchat's Le... (How to Fix)

Q: What is the severity of CVE-2024-5436?

CVE-2024-5436 has a CVSS score of 9.8 (CRITICAL). A type confusion vulnerability in Snapchat's LensCore component could allow attackers to cause denial of service or execute arbitrary code on affected devices. This affects Snapchat users running versions below 12.88. The vulnerability is remotely exploitable with high impact potential.

📋 TL;DR

A type confusion vulnerability in Snapchat's LensCore component could allow attackers to cause denial of service or execute arbitrary code on affected devices. This affects Snapchat users running versions below 12.88. The vulnerability is remotely exploitable with high impact potential.

💻 Affected Systems

Products:

Snapchat

Versions: All versions prior to 12.88

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of Snapchat below version 12.88 are vulnerable.

📦 What is this software?

Snapchat Lenscore by Snap

View all CVEs affecting Snapchat Lenscore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent malware installation.

🟠

Likely Case

Application crashes (denial of service) or limited code execution within the LensCore sandbox.

🟢

If Mitigated

No impact if patched to version 12.88 or above.

🌐 Internet-Facing: HIGH - The vulnerability is in a mobile application that processes untrusted content from the internet.

🏢 Internal Only: LOW - This is a client-side mobile application vulnerability, not an internal network service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Type confusion vulnerabilities typically require specific malformed input to trigger, but CVSS 9.8 suggests relatively straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.88

Vendor Advisory: https://hackerone.com/snapchat

Restart Required: Yes

Instructions:

1. Open your device's app store (Google Play Store or Apple App Store)
2. Search for Snapchat
3. If an update is available, tap 'Update'
4. After installation, restart the Snapchat application

🔧 Temporary Workarounds

Disable LensCore/Lenses

all

Temporarily disable the LensCore functionality to prevent exploitation

No commands - disable via app settings if available

🧯 If You Can't Patch

Uninstall Snapchat until patched version can be installed
Use device-level security controls to restrict Snapchat's permissions and network access

🔍 How to Verify

Check if Vulnerable:

Check Snapchat version in app settings: Settings > About > Version

Check Version:

No command - check within Snapchat app settings

Verify Fix Applied:

Verify version is 12.88 or higher in app settings

📡 Detection & Monitoring

Log Indicators:

Snapchat crash logs
Unexpected LensCore process termination
Memory access violation errors

Network Indicators:

Unusual network traffic from Snapchat app
Requests to unexpected domains from LensCore

SIEM Query:

Not applicable for client-side mobile application vulnerabilities

📊 Metadata

CVE ID: CVE-2024-5436

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-704

Published: May 31, 2024

Last Updated: July 22, 2025

🔗 References

https://hackerone.com/snapchat Third Party Advisory
https://hackerone.com/snapchat Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5436, you might also want to check these: