CVE-2024-49415
Samsung S24 APE Decoder Out-Of-Bounds Write
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Out-of-bound write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code.
La escritura fuera de los límites en libsaped.so anterior a SMR Dec-2024 Release 1 permite a atacantes remotos ejecutar código arbitrario.
There is an out-of-bounds write in the Monkey's Audio (APE) decoder on the Samsung S24. The function saped_rec in libsaped.so writes to a dmabuf allocated by the C2 media service, which always appears to have size 0x120000. While the maximum blocksperframe value extracted by libsapedextractor is also limited to 0x120000, saped_rec can write up to 3 * blocksperframe bytes out, if the bytes per sample of the input is 24. This means that an APE file with a large blocksperframe size can substantially overflow this buffer. Note that this is a fully-remote (0-click) bug on the Samsung S24 if Google Messages is configured for RCS (the default configuration on this device), as the transcription service decodes incoming audio before a user interacts with the message for transcription purposes.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-10-15 CVE Reserved
- 2024-12-03 CVE Published
- 2024-12-03 CVE Updated
- 2025-01-10 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (2)
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Samsung Mobile Search vendor "Samsung Mobile" | Samsung Mobile Devices Search vendor "Samsung Mobile" for product "Samsung Mobile Devices" | * | - |
Affected
| ||||||
| Samsung Search vendor "Samsung" | Android Search vendor "Samsung" for product "Android" | * | - |
Affected
| ||||||