CVE-2024-5436 Overview
CVE-2024-5436 is a type confusion vulnerability in Snapchat LensCore affecting versions prior to 12.88. The flaw enables attackers to trigger denial of service conditions or execute arbitrary code on affected systems. LensCore is the runtime component that powers Snapchat's augmented reality (AR) Lenses, processing untrusted content delivered through the Snapchat application. Snap addressed the issue in LensCore version 12.88 and recommends users upgrade immediately.
Critical Impact
Successful exploitation of CVE-2024-5436 can result in arbitrary code execution within the Snapchat LensCore runtime, compromising application integrity and availability on user devices.
Affected Products
- Snap Snapchat LensCore versions prior to 12.88
- Snapchat mobile applications bundling vulnerable LensCore builds
- Any downstream integration relying on Snapchat LensCore runtime below 12.88
Discovery Timeline
- 2024-05-31 - CVE-2024-5436 published to the National Vulnerability Database
- 2025-07-22 - Last updated in NVD database
Technical Details for CVE-2024-5436
Vulnerability Analysis
The vulnerability is a type confusion flaw [CWE-843] in Snapchat LensCore, related to incorrect type conversion or cast [CWE-704]. Type confusion occurs when code allocates or accesses a resource using one type, then later interprets the same memory region using an incompatible type. The mismatch allows an attacker to manipulate object metadata, pointers, or virtual function tables. In LensCore, this leads to memory corruption when processing crafted Lens content. Exploitation results in either an immediate denial of service through application crash or arbitrary code execution within the Snapchat process context. The attack surface centers on the AR Lens parsing and rendering pipeline, which handles attacker-controllable input.
Root Cause
The root cause is improper type validation during object handling inside LensCore. Code paths cast objects to a specific type without verifying the underlying structure matches. When malformed Lens assets traverse these paths, the runtime operates on memory with assumptions that no longer hold, producing corruption.
Attack Vector
The attack vector is network-based with high complexity and requires user interaction. An attacker delivers a crafted Lens or AR content payload through Snapchat distribution channels. When a victim opens or interacts with the malicious Lens, LensCore parses the content and triggers the type confusion condition. Successful exploitation does not require elevated privileges on the target device.
No verified public exploit code is available. See the HackerOne Snapchat Report program for additional technical context.
Detection Methods for CVE-2024-5436
Indicators of Compromise
- Unexpected crashes or hangs of the Snapchat application coinciding with Lens activation
- Crash logs referencing LensCore modules with access violations or segmentation faults
- Snapchat application versions reporting a LensCore build lower than 12.88
Detection Strategies
- Inventory mobile and desktop endpoints running Snapchat and verify the embedded LensCore version against 12.88
- Correlate mobile device management (MDM) telemetry with application crash reports referencing LensCore
- Monitor outbound network traffic from Snapchat for connections to unfamiliar Lens content delivery endpoints
Monitoring Recommendations
- Enable crash reporting and forward mobile application diagnostic logs to a centralized analytics platform
- Track Snapchat application update compliance across managed devices and flag versions predating the 12.88 LensCore fix
- Review user reports of Snapchat instability following interaction with third-party Lenses
How to Mitigate CVE-2024-5436
Immediate Actions Required
- Upgrade Snapchat to a version that bundles LensCore 12.88 or later on all managed devices
- Audit MDM-deployed Snapchat installations to confirm patched versions are propagated
- Communicate to end users the requirement to install the latest Snapchat update from official app stores
Patch Information
Snap released LensCore version 12.88, which remediates the type confusion vulnerability. Users and administrators should upgrade Snapchat to a release that incorporates LensCore 12.88 or later. Refer to the HackerOne Snapchat Report program for additional vendor coordination details.
Workarounds
- Restrict use of third-party or untrusted Lenses until devices are confirmed running LensCore 12.88 or later
- Apply MDM policies to enforce automatic updates for the Snapchat application
- Where business policy permits, remove Snapchat from corporate-managed devices until patching is verified
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
