Researchers at Google Project Zero disclosed a now-patched zero-click vulnerability that affects Samsung devices. Google Project Zero researchers disclosed details about a now-patched zero-click vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), in Samsung devices. The flaw is an out-of-bound write issue in libsaped.so prior to SMR Dec-2024 Release 1, it allows remote attackers to execute arbitrary code. […] Researchers at Google Project Zero disclosed a now-patched zero-click vulnerability that affects Samsung devices. Google Project Zero researchers disclosed details about a now-patched zero-click vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), in Samsung devices. The flaw is an out-of-bound write issue in libsaped.so prior to SMR Dec-2024 Release 1, it allows remote attackers to execute arbitrary code. The flaw was reported on September 21, 2024, and affected Android 12, 13, 14 versions. “Out-of-bound write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code.” reads the advisory. “The patch adds proper input validation.” The vulnerability was reported to Samsung by Google Project Zero researcher Natalie Silvanovich, she discovered the flaw impacts Samsung Galaxy S23 and S24 phones. The bug is linked to Google Messages’ transcription service. When rich communication services (RCS) are enabled, the service automatically decodes incoming audio messages locally, allowing potential exploitation of the issue without requiring user interaction. Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-clickhttps://t.co/krPcWMGLpZ— Natalie Silvanovich (@natashenka) January 10, 2025
Published: 2025-01-10T14:45:46