CVE-2024-53842 Overview
CVE-2024-53842 is an out-of-bounds write vulnerability in the cc_SendCcImsInfoIndMsg function of cc_MmConManagement.c in Google Android. The flaw stems from a missing bounds check in the IMS connection management code path. Remote attackers can trigger memory corruption without authentication or user interaction. Successful exploitation can lead to remote code execution at the privilege level of the affected component. Google addressed this issue in the December 2024 Pixel security bulletin. The vulnerability is tracked under [CWE-787] (Out-of-bounds Write) and affects baseband/telephony processing on Android devices.
Critical Impact
Network-reachable attackers can achieve remote code execution on affected Android devices with no user interaction and no prior privileges.
Affected Products
- Google Android (Pixel devices addressed in the December 2024 security bulletin)
- Android builds containing the vulnerable cc_MmConManagement.c component
- Devices not yet updated to the 2024-12-01 security patch level
Discovery Timeline
- 2025-01-03 - CVE-2024-53842 published to NVD
- 2024-12-01 - Google releases security patch via Pixel Security Bulletin
- 2025-07-24 - Last updated in NVD database
Technical Details for CVE-2024-53842
Vulnerability Analysis
The vulnerability resides in cc_SendCcImsInfoIndMsg, a function within cc_MmConManagement.c responsible for handling IMS (IP Multimedia Subsystem) information indication messages in the call control stack. The function writes data into a fixed-size buffer without validating the length of incoming message fields. Attackers who control the size or content of the IMS info indication can write beyond the allocated buffer boundary.
The out-of-bounds write corrupts adjacent memory structures, including function pointers and control flow data. Because the affected code path processes network-delivered telephony signaling, exploitation does not require user interaction or local code execution. The Android Security Bulletin classifies the issue as critical due to the potential for remote code execution within a privileged telephony component.
Root Cause
The root cause is a missing bounds check before a memory write operation in cc_SendCcImsInfoIndMsg. The function trusts length or size fields supplied by the caller without enforcing the size of the destination buffer. This pattern matches [CWE-787], where input-controlled offsets or lengths bypass buffer boundaries.
Attack Vector
The attack vector is network-based. An adversary delivering crafted IMS signaling traffic, such as malformed SIP-over-IMS messages handled by the telephony stack, can reach the vulnerable function. No authentication is required, and the user does not need to answer a call or open a message. Successful exploitation yields code execution in the context of the telephony service.
No verified public proof-of-concept code is available. See the Android Security Bulletin for vendor technical details.
Detection Methods for CVE-2024-53842
Indicators of Compromise
- Unexpected crashes, restarts, or watchdog resets of telephony or IMS-related services on Android devices
- Anomalous outbound network connections originating from telephony processes after receiving IMS signaling
- Devices reporting a security patch level earlier than 2024-12-01 on Pixel firmware
Detection Strategies
- Monitor Android device security patch levels at scale through MDM and flag devices below the 2024-12-01 patch baseline
- Inspect carrier and enterprise IMS signaling gateways for malformed or oversized info indication payloads
- Correlate telephony service crashes with subsequent process behavior changes to identify post-exploitation activity
Monitoring Recommendations
- Enroll mobile devices in a mobile threat defense or MDM solution that surfaces patch level and crash telemetry
- Forward mobile device logs and crash reports to a centralized analytics platform for correlation
- Track Google Android Security Bulletin advisories monthly and map them to internal device inventory
How to Mitigate CVE-2024-53842
Immediate Actions Required
- Apply the Android security patch level 2024-12-01 or later on all affected devices
- Prioritize patching for Pixel devices and any OEM Android builds that include the vulnerable telephony component
- Identify and isolate devices that cannot be updated and restrict their access to sensitive corporate resources
Patch Information
Google published the fix in the December 2024 Pixel Security Bulletin. Devices running security patch level 2024-12-01 or later are protected. OEMs ship the corresponding fix on varying schedules, so administrators should verify each vendor's bulletin for affected models.
Workarounds
- Disable Voice over LTE (VoLTE) and Wi-Fi Calling on unpatched devices where operationally acceptable
- Restrict unpatched devices to networks that do not expose them to untrusted IMS signaling
- Replace end-of-life devices that will not receive the 2024-12-01 patch level
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
